Given the topic of the concealed '30 day' step is coming up I do wish to clarify my intent. I had been less than subtly telling Entrust for nearly a month <https://bugzilla.mozilla.org/show_bug.cgi?id=1886532#c19> that this information was known, and was giving them the option to come forward about an issue that could look bad if it came to light without context. I had been hoping that a mistake was made in March and that it would be acknowledged and treated seriously. I attempted every step of the way to let Entrust provide the information themselves so that they could explain their intentions and clear up any confusion in advance.
That they chose not to is still perplexing to me. I appreciated this could be an embarrassing default text string that they never considered in the 4 years since their prior commitments. However given their actions in response, I can only surmise that it was working as intended. I still hope they clarify this matter at some point, they have had more than enough opportunities. On that note what is Mozilla's policy for a CA answering questions posed on MDSP and the applicable timeframe? I am sure the rest of the community are as puzzled over the report received and would appreciate clarifications. - Wayne On Friday, June 14, 2024 at 3:22:21 PM UTC+1 Mike Shaver wrote: > On Fri, 14 Jun 2024 at 10:11, Amir Omidi <[email protected]> wrote: > >> I missed that they tried to conceal the part of the email where 30 day >> revocation was granted. How on earth is this acceptable? >> > > I want to be clear here: I don't know that that part of the instructions > was meant to convey to affected Subscribers that 30 days would be an > acceptable timeline for revocation (though of course many certificates > didn't even get replaced that quickly...). It may be, for example, that the > software in question is limited such that it only offers "reissue with > immediate revocation" and "reissue with 30 day revocation". In that case, > the latter would be an appropriate choice even if the revocation was to > happen on a shorter timeline. > > My concern is that *they chose to conceal *this part of the > correspondence, and I cannot come up with a good faith reason for doing so > given the information that is already public about the ECS system and how > to reissue. Obviously the term "30 day" is weird to see there, but if there > was a good reason for it (probably a better reason than the one I imagined > above), then they should have provided the reason rather than clumsily > attempting to conceal part of it. (And after Wayne had indicated both in > mdsp and in the incident itself that the contents were already known to > some...) > > >> I’ll have to go double check everything in your correspondence here, but >> if this is all true then this is deeply unsettling and concerning. >> > > Please do so! There have been a lot of comments with a lot of slightly > different contents and statements, and it's entirely possible that I > mis-referenced something, or made an outright error in my analysis. > > Mike > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6e35dbdf-ad03-428f-a641-67e1a981889cn%40mozilla.org.
