This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed.
Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mozilla establishes a clear protocol for handling security incidents and communicates this effectively to all participants. I am also curious in how Mozilla will choose to interpret the facts that have been made available. The way in which this incident is handled will establish a precedent for future security incidents, and it is important that Mozilla approaches this with a clear and consistent stance. Ryan Hurst On Monday, November 28, 2022 at 2:52:47 AM UTC-8 Peter Gutmann wrote: > Ian Carroll <[email protected]> writes: > > >There are many statements about M of N, HSM access, etc which do not > appear > >to be relevant to this issue. > > That's not specific to e-Tughra though, that's standard for CAs where what > gets audited is all the fancy security mechanisms around the CA's private > key(s) and what barely, or not at all, gets audited is the various RAs that > pull the CA's strings. > > Years ago I saw a cartoon lampooning a certain country's defence policy > which > had lifeguard-style flags set up on a piece of open ground and a sign > between > them saying "Please attack between the flags". With CA's it'd be "please > audit between the flags". > > Not defending or criticising e-Tughra, just pointing out that this isn't > their > fault, it's How CAs Are Done. > > Peter. > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/8de9a3a2-7b3f-4644-bdfb-3b198e054facn%40mozilla.org.
