On Tue, 11 Jun 2024 12:32:47 -0600 "'Ben Wilson' via [email protected]" <[email protected]> wrote:
> Hi Andrew, > > Although we have lost faith in ECM's ability to operate within the > requirements of our root program, we've seen no evidence to suggest > that they've engaged in or will engage in actively malicious behavior. > > We will continue to monitor the situation, and if evidence is found of > misbehavior, then we will remove the root certificate on an expedited > timeline, but still, we won't be waiting a year before filing a > root-removal bug. > > Thanks, > > Ben Hi Ben, My concern isn't malicious behavior by ECM, but rather their lax practices leading to a compromise which allows attackers to get unlogged, backdated certificates that are used to attack Firefox users, which Mozilla would have no way of detecting. I'm particularly worried that they seem to have checked out from being a CA, leaving a CRL broken for over 60 days and not answering any more questions in Bugzilla. It's really hard to understand why the distrust is being done this way in light of what I pointed out about the tiny number of websites that would be impacted by immediate distrust. Could you explain the reasoning some more? Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20240611153208.5a970b5b06e1fb3cdf0f1b87%40andrewayer.name.
