Frank Hecker <hec...@mozillafoundation.org> writes: > My intent is to balance the disruption that would be caused by pulling > a root vs. the actual security threat to users. Right now we have no > real idea as to the extent of the problem (e.g., how many certs might > have been issued without proper validation, how many of those were > issued to malicious actors, etc.).
Isn't that, by itself, a very good reason to take immediate action? Security should be default-fail rather than default-pass. Hendrik _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto