On Fri, 14 Jun 2024 at 10:11, Amir Omidi <[email protected]> wrote: > I missed that they tried to conceal the part of the email where 30 day > revocation was granted. How on earth is this acceptable? >
I want to be clear here: I don't know that that part of the instructions was meant to convey to affected Subscribers that 30 days would be an acceptable timeline for revocation (though of course many certificates didn't even get replaced that quickly...). It may be, for example, that the software in question is limited such that it only offers "reissue with immediate revocation" and "reissue with 30 day revocation". In that case, the latter would be an appropriate choice even if the revocation was to happen on a shorter timeline. My concern is that *they chose to conceal *this part of the correspondence, and I cannot come up with a good faith reason for doing so given the information that is already public about the ECS system and how to reissue. Obviously the term "30 day" is weird to see there, but if there was a good reason for it (probably a better reason than the one I imagined above), then they should have provided the reason rather than clumsily attempting to conceal part of it. (And after Wayne had indicated both in mdsp and in the incident itself that the contents were already known to some...) > I’ll have to go double check everything in your correspondence here, but > if this is all true then this is deeply unsettling and concerning. > Please do so! There have been a lot of comments with a lot of slightly different contents and statements, and it's entirely possible that I mis-referenced something, or made an outright error in my analysis. Mike -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqt78gEbViukP1TrNs3fJLLdD_MeU9ukm7jJEBm%2Bv9WvbA%40mail.gmail.com.
