Oh, I feel dumb for not searching the old Google group, considering that I used to subscribe to it.
Thanks for that, I'll review those cases and see how they were brought forward. Mike On Thu, 2 May 2024 at 18:25, Andrew Ayer <[email protected]> wrote: > Hi Mike, > > On Thu, 2 May 2024 17:09:42 -0400 > Mike Shaver <[email protected]> wrote: > > > From also reviewing a number of historical incidents in Bugzilla, it > > seems that currently the decision as to whether to sanction a CA is > > largely evaluated on a per-incident basis: is this specific incident > > sufficient grounds to disrupt subscribers and relying parties by > > forcibly revoking some or all of the CA's issued certificates? > > This has not been the case for at least 7 years: > > Symantec: > https://groups.google.com/g/mozilla.dev.security.policy/c/kxs3kyqRqYU/m/QDPpj9pOEAAJ > > WoSign/Startcom: > https://groups.google.com/g/mozilla.dev.security.policy/c/k9PBmyLCi8I/m/mKSMaz9eCgAJ > > PROCERT: > https://groups.google.com/g/mozilla.dev.security.policy/c/lqZersN26VA/m/NVLf6YPWAAAJ > > Certinomis: > https://groups.google.com/g/mozilla.dev.security.policy/c/rmU311hOIIc/m/36RWof79CgAJ > > Camerfirma: > https://groups.google.com/g/mozilla.dev.security.policy/c/dSeD3dgnpzk/m/diOfeWNpBQAJ > > These CAs were all distrusted based not on a single incident but rather > their aggregate behavior. > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZquA4yFQUyMLhEC%3D%2BC%2BzUyj77KSvam8Que_OnupZPH_WbQ%40mail.gmail.com.
