RE: CA handling of contact information when reporting problems

2019-08-22 Thread Jeremy Rowley via dev-security-policy
:49 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA handling of contact information when reporting problems I'm merely a relying party and subscriber, but it seems quite unreasonable to believe that there is or should be any restriction upon a party to a business communica

Re: CA handling of contact information when reporting problems

2019-08-22 Thread Matthew Hardeman via dev-security-policy
I'm merely a relying party and subscriber, but it seems quite unreasonable to believe that there is or should be any restriction upon a party to a business communication (which is what a report / complaint from a third party regarding key compromise, etc, is) from further dissemination of said comm

RE: CA handling of contact information when reporting problems

2019-08-22 Thread Tim Hollebeek via dev-security-policy
CA is here, since it isn't covered by any compliance requirements. -Tim > -Original Message- > From: dev-security-policy On > Behalf Of Jakob Bohm via dev-security-policy > Sent: Monday, August 19, 2019 8:22 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Su

Re: CA handling of contact information when reporting problems

2019-08-21 Thread Adrian R via dev-security-policy
On Monday, 19 August 2019 17:26:06 UTC+3, Mathew Hodson wrote: [...] > If these situations were common, it could create a chilling effect on > problem reporting that would hurt the WebPKI ecosystem. Are specific > procedures and handling of contact information in these situations > covered by the

Re: CA handling of contact information when reporting problems

2019-08-20 Thread Ryan Sleevi via dev-security-policy
On Mon, Aug 19, 2019 at 10:26 AM Mathew Hodson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > If these situations were common, it could create a chilling effect on > problem reporting that would hurt the WebPKI ecosystem. Are specific > procedures and handling of contact

Re: CA handling of contact information when reporting problems

2019-08-20 Thread Daniel Marschall via dev-security-policy
Hello, I am a bit shocked about this case. The fact that this happened to someone would restrain myself from reporting key compromises. Even though it is the company's fault to protect their private key, their lawers still might sue the incident-reporter. A judge might not understand the PKI

Re: CA handling of contact information when reporting problems

2019-08-19 Thread Jakob Bohm via dev-security-policy
On 20/08/2019 03:15, Corey Bonnell wrote: On Monday, August 19, 2019 at 10:26:06 AM UTC-4, Mathew Hodson wrote: Tom Wassenberg on Twitter reported an experience he had with Sectigo when reporting a compromised private key. https://twitter.com/tomwas54/status/1162114413148725248 https://twitter.