On Wed, Jun 26, 2024 at 6:54 PM Tyrel <[email protected]> wrote:
> While I agree that having detailed use-case environments that result in > subscribers requesting delayed revocation might be fascinating to read, I > think it will be in practice very difficult to gather given the lack of > specificity that seems to be publicly provided: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1886442 > https://bugzilla.mozilla.org/show_bug.cgi?id=1887888 > https://bugzilla.mozilla.org/show_bug.cgi?id=1889062 > https://bugzilla.mozilla.org/show_bug.cgi?id=1896053 > https://bugzilla.mozilla.org/show_bug.cgi?id=1872738 > https://bugzilla.mozilla.org/show_bug.cgi?id=1896553 > > None of these (or others) have the level of detail needed to really > understand what the use-case is, or why that use case is critical (not > critical to revenue generation activities of the subscriber, but to > society/the webPKI community),. > Yes, these incident reports are not, IMO, in compliance with Mozilla’s policies. While the existence of the delayed revocation protocol might make delayed revocation seem more acceptable, I think that it currently serves a useful purpose (or could, if complied with in good faith) in helping other CAs identify scenarios that they should prepare for themselves, and can shine light on cases where the CA is misaligned with the purpose and requirements of the Mozilla root program. Imagine how much harder people would have to fight to get useful information about a failure to revoke on time, if there wasn’t that set of Mozilla expectations to start from… Mike -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqu9Quj0_rxRY%3DWLG%2Baubpva0%2BpqzohEvcewN9ZdZGY06A%40mail.gmail.com.
