On Tuesday, January 19, 2021 at 11:01:15 AM UTC+1, Ramiro Muñoz wrote:

> Finally, I’d like to ask you, based on which article of Mozilla Root Store 
> Policy, you are sentencing a removal from the Mozilla store. 

Oh, I know this one: It is in the Mozilla Root Store Policy, 7.3: "Mozilla MAY, 
at its sole discretion, decide to disable (partially or fully) or remove a 
certificate at any time and for any reason." (You might really want to start to 
read the Mozilla Root Store Policy and BR before posting here or in incident 

But please note that Matt is not sentencing anyone but merely providing 
arguments for the module peers/owner, who, by Mozilla's decision-making 
process, will call the shots in the end (by their sole discretion possibly 
based or not based on arguments in this thread).

Also, your whataboutisms might not serve you well. If you think that other CAs 
have handled incidents inadequately, your questions in the respective incident 
report bugs would surely have been much appreciated.

On the subject, since the start of this thread, things have actually got worse. 
Camerfirma evidently got under pressure, which, for a functioning CA, would 
result in better incident handling and an opportunity to show their solid 
foundation as a CA. Instead, Camerfirma, besides engaging in absurd 
argumentation in this thread, has started to request bugs clearly not fully 
remediated be closed 
<https://bugzilla.mozilla.org/show_bug.cgi?id=1667430#c35>). Recently, we have 
also learned that Camerfirma does not even have an understanding (or process) 
about the BR's revocation timelines 

There cannot be such a thing as a "last chance" ("Let's see how things work 
out"/"Camerfirma gets removed with the next incident") as this would put even 
more pressure on Camerfirma. It would also come with a massive incentive for 
Camerfirma to not report any more incidents. For Mozilla and their users, this 
would come with the risk of unreported incidents but also the need for an 
emergency release of Firefox and other relying software in case Camerfirma has 
to be removed in an unorderly way. Thus, orderly (pre-announced) distrust in 
one of the next Firefox release is the only way forward.
dev-security-policy mailing list

Reply via email to