Thanks. I think the best way to respond is for each person to gather all of their comments into a single email with a list of remaining issues found and then submit it to this thread. Thanks, Ben
On Fri, Jun 21, 2024 at 1:21 PM Mike Shaver <[email protected]> wrote: > Thanks, Bruce. > > On first quick read of the response, I have some concerns about specific > elements but the level of detail and specificity is much more appropriate, > IMO, than with the first response. Thank you for those additions. > > What is the best way to provide feedback on this improved response? I > think there are a few important questions still open. > > Mike > > On Fri, Jun 21, 2024 at 2:59 PM 'Bruce Morton' via > [email protected] <[email protected]> wrote: > >> Attached is a letter from Bhagwat Swaroop, President of Entrust Digital >> Security Solutions, along with an updated response to address questions >> from the community. >> >> Thanks, Bruce. >> >> On Tuesday, June 18, 2024 at 1:35:48 PM UTC-4 Amir Omidi (aaomidi) wrote: >> >>> I am not going to say with certainty that Entrust is definitely putting >>> Chrome over Mozilla. However, I hope they know that most Linux systems out >>> there use the Mozilla root store directly. >>> On Tuesday, June 18, 2024 at 1:12:19 PM UTC-4 Mike Shaver wrote: >>> >>>> On Tue, Jun 18, 2024 at 12:49 PM Walt <[email protected]> wrote: >>>> >>>>> I'd just like to point out that we now have a situation where Entrust >>>>> is in the position of seemingly valuing the opinion of other Root Programs >>>>> over Mozilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c42 >>>>> >>>>> In Comment #37, it was hinted at (and made slightly more explicit in >>>>> #39) that the opinion of the Mozilla RP is that the attempt to >>>>> re-characterize these certs was not going to be looked kindly upon, and >>>>> only once a Google RP member explicitly said that it was the Google RP >>>>> opinion that the certs remained mis-issued was any movement made on >>>>> re-confirming the mis-issuance and taking action to revoke them. >>>>> >>>>> Also, if we're in a position where Entrust is finally able to commit >>>>> to revoking certs within a 5 day period (setting aside that these certs >>>>> technically need a delayed revocation bug as the mis-issuance was known as >>>>> far back as 2024-04-10), why are other incidents not able to be resolved >>>>> in >>>>> this amount of time? Is it because Google showed up? >>>>> >>>> >>>> We’ve seen this behaviour in other incidents as well, I believe >>>> including the cpsURI one that has turned into a magnet for evidence of poor >>>> operation and lack of transparency and responsiveness. I remarked on it in >>>> my initial snarky reply to the Entrust Report, in fact. >>>> >>>> From a realpolitik perspective their behaviour could indeed be >>>> rational, especially when the only tool root programs have is distrust. >>>> Firefox would suffer substantial market disadvantage if it stopped trusting >>>> Entrust certificates when other browsers didn’t. I think people generally >>>> underestimate how much Mozilla would be willing to take near-term pain to >>>> protect users, but it’s also possible that I am overestimating it. >>>> >>>> Related to that, I think Chrome’s root program representatives have >>>> generally been more willing to take a concrete position quickly, so Mozilla >>>> might be waiting for more explanation when Chrome decides that there’s no >>>> explanation that could suffice, or similar. The root programs tend to be in >>>> agreement more often than not (virtually always with Chrome and Mozilla, I >>>> would say, excepting some slightly different root store populations), so it >>>> may be somewhat irrelevant whose opinion spurs motion. >>>> >>>> Realpolitik analysis aside, I do agree that Entrust has created the >>>> impression that they care much more about Chrome’s opinion than Mozilla’s, >>>> which IMO might not be the best posture to take given that Mozilla and its >>>> community are the locus for the processing and evaluation of the incidents >>>> in question. >>>> >>>> Mike >>>> >>>> >>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f3cebe9b-fa25-4b11-ba3d-b7f3f6e0f719n%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f3cebe9b-fa25-4b11-ba3d-b7f3f6e0f719n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqtK5V6A1_vGBCKFBZFnqx6izBKRcFJF2aVsWnHjWAAjOQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqtK5V6A1_vGBCKFBZFnqx6izBKRcFJF2aVsWnHjWAAjOQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaacFkr5Q%2BL-CSOqsbjJQ28t3sBUXVUUHbdMeVndt1qcOQ%40mail.gmail.com.
