On Thu, May 30, 2024 at 8:28 AM 'Jeremy Rowley' via [email protected] <[email protected]> wrote: > > Here’s one example provided during our revocation: Hong Kong Monetary > Authority - Technology Risk Management (hkma.gov.hk) > > > > I haven’t read it all, but according to several of the Chinese banks, there’s > monetary damages if they replace a certificate without government permission. > We had the same issue in South America, but those subscribers haven’t sent > over the corresponding regulations yet. > > > > I don’t think it’s a bright line rule. What I’ve consistently heard is they > need government approval, which is easily obtained in security incidents but > hard to obtain when the regulator does not understand why the certificate is > being replaced. One question I always ask is “What would you do in key > compromise?”. The answer I get back is that key compromised would be better > because the regulator’s understand that. They don’t understand why a > capitalization issue is requiring a cert rotation. The worse the issue, the > faster and easier to get permission.
The answer should be "because it will stop working in 5 days since the CA will revoke it, and if they don't the CA will be distrusted". Your subscribers signed an acknowledgement this would happen: did they do so knowing that the regulators don't understand the issue? Sincerely, Watson -- Astra mortemque praestare gradatim -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0cnc03r%3DvvEjENm%2BfVp49h0JK2%3D4okR43oaUjQji_9wsOw%40mail.gmail.com.
