Hi Mike, On Thu, 2 May 2024 17:09:42 -0400 Mike Shaver <[email protected]> wrote:
> From also reviewing a number of historical incidents in Bugzilla, it > seems that currently the decision as to whether to sanction a CA is > largely evaluated on a per-incident basis: is this specific incident > sufficient grounds to disrupt subscribers and relying parties by > forcibly revoking some or all of the CA's issued certificates? This has not been the case for at least 7 years: Symantec: https://groups.google.com/g/mozilla.dev.security.policy/c/kxs3kyqRqYU/m/QDPpj9pOEAAJ WoSign/Startcom: https://groups.google.com/g/mozilla.dev.security.policy/c/k9PBmyLCi8I/m/mKSMaz9eCgAJ PROCERT: https://groups.google.com/g/mozilla.dev.security.policy/c/lqZersN26VA/m/NVLf6YPWAAAJ Certinomis: https://groups.google.com/g/mozilla.dev.security.policy/c/rmU311hOIIc/m/36RWof79CgAJ Camerfirma: https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/diOfeWNpBQAJ These CAs were all distrusted based not on a single incident but rather their aggregate behavior. Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240502182537.4f826991e70abaf2dfd18257%40andrewayer.name.
