Quick preliminary question: Is this now the final report? The final report that was due two weeks ago.
Can you explain how this document is going to reconcile the recent response we got from Entrust over this bug? https://bugzilla.mozilla.org/show_bug.cgi?id=1890685#c46 Specifically: > Thanks, Tim. In Comment 29 <https://bugzilla.mozilla.org/show_bug.cgi?id=1890685#c29> posted on June 5, 2024, we issued an updated incident report for this bug stating that we no longer believe this is a mis-issuance. Given this position, there should be no need for further reporting as described in your Question 1. On Friday, June 21, 2024 at 3:21:08 PM UTC-4 Mike Shaver wrote: > Thanks, Bruce. > > On first quick read of the response, I have some concerns about specific > elements but the level of detail and specificity is much more appropriate, > IMO, than with the first response. Thank you for those additions. > > What is the best way to provide feedback on this improved response? I > think there are a few important questions still open. > > Mike > > On Fri, Jun 21, 2024 at 2:59 PM 'Bruce Morton' via > [email protected] <[email protected]> wrote: > >> Attached is a letter from Bhagwat Swaroop, President of Entrust Digital >> Security Solutions, along with an updated response to address questions >> from the community. >> >> Thanks, Bruce. >> >> On Tuesday, June 18, 2024 at 1:35:48 PM UTC-4 Amir Omidi (aaomidi) wrote: >> >>> I am not going to say with certainty that Entrust is definitely putting >>> Chrome over Mozilla. However, I hope they know that most Linux systems out >>> there use the Mozilla root store directly. >>> On Tuesday, June 18, 2024 at 1:12:19 PM UTC-4 Mike Shaver wrote: >>> >>>> On Tue, Jun 18, 2024 at 12:49 PM Walt <[email protected]> wrote: >>>> >>>>> I'd just like to point out that we now have a situation where Entrust >>>>> is in the position of seemingly valuing the opinion of other Root >>>>> Programs >>>>> over Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c42 >>>>> >>>>> In Comment #37, it was hinted at (and made slightly more explicit in >>>>> #39) that the opinion of the Mozilla RP is that the attempt to >>>>> re-characterize these certs was not going to be looked kindly upon, and >>>>> only once a Google RP member explicitly said that it was the Google RP >>>>> opinion that the certs remained mis-issued was any movement made on >>>>> re-confirming the mis-issuance and taking action to revoke them. >>>>> >>>>> Also, if we're in a position where Entrust is finally able to commit >>>>> to revoking certs within a 5 day period (setting aside that these certs >>>>> technically need a delayed revocation bug as the mis-issuance was known >>>>> as >>>>> far back as 2024-04-10), why are other incidents not able to be resolved >>>>> in >>>>> this amount of time? Is it because Google showed up? >>>>> >>>> >>>> We’ve seen this behaviour in other incidents as well, I believe >>>> including the cpsURI one that has turned into a magnet for evidence of >>>> poor >>>> operation and lack of transparency and responsiveness. I remarked on it in >>>> my initial snarky reply to the Entrust Report, in fact. >>>> >>>> From a realpolitik perspective their behaviour could indeed be >>>> rational, especially when the only tool root programs have is distrust. >>>> Firefox would suffer substantial market disadvantage if it stopped >>>> trusting >>>> Entrust certificates when other browsers didn’t. I think people generally >>>> underestimate how much Mozilla would be willing to take near-term pain to >>>> protect users, but it’s also possible that I am overestimating it. >>>> >>>> Related to that, I think Chrome’s root program representatives have >>>> generally been more willing to take a concrete position quickly, so >>>> Mozilla >>>> might be waiting for more explanation when Chrome decides that there’s no >>>> explanation that could suffice, or similar. The root programs tend to be >>>> in >>>> agreement more often than not (virtually always with Chrome and Mozilla, I >>>> would say, excepting some slightly different root store populations), so >>>> it >>>> may be somewhat irrelevant whose opinion spurs motion. >>>> >>>> Realpolitik analysis aside, I do agree that Entrust has created the >>>> impression that they care much more about Chrome’s opinion than Mozilla’s, >>>> which IMO might not be the best posture to take given that Mozilla and its >>>> community are the locus for the processing and evaluation of the incidents >>>> in question. >>>> >>>> Mike >>>> >>>> >>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f3cebe9b-fa25-4b11-ba3d-b7f3f6e0f719n%40mozilla.org >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f3cebe9b-fa25-4b11-ba3d-b7f3f6e0f719n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0688298d-a027-4adc-83b1-8d3357a87ba4n%40mozilla.org.
