I think open source is great, but it's not a panacea.
While there are many CAs and several root programs, this community is a
relatively small one in the grand scheme.
Prior events suggest that there are not enough people with the necessary
skill overlap to parse both the rules and the code to
On Thursday, March 14, 2019 at 11:54:52 PM UTC+1, James Burton wrote:
> Let's Encrypt CA software 'Boulder' is open source for everyone to browse
> and check for issues. All other CAs should follow the Let's Encrypt lead
> and open source their own CA software for everyone to browse and check for
Hi,
It might have been found, but there's a good chance it would have been bypassed
anyhow. Since it was not a bug in the code, you would have to had analyzed it
in the context of the discussions around b164, which I think there are probably
very few people who could/would. I may be wrong, and
(Forgot to post it to m.d.s.p)
Your right that we all failed to conduct the proper due diligence source
code checks on EJBCA and therefore missed this important issue. We all need
to learn from this past mistake and implement better checks which prevents
issues like this that might arise in the
On Thu, Mar 14, 2019 at 6:54 PM James Burton via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Let's Encrypt CA software 'Boulder' is open source for everyone to browse
> and check for issues. All other CAs should follow the Let's Encrypt lead
> and open source their own
Let's Encrypt CA software 'Boulder' is open source for everyone to browse
and check for issues. All other CAs should follow the Let's Encrypt lead
and open source their own CA software for everyone to browse and check for
issues. We might have found the serial number issue sooner.
Thank you,
6 matches
Mail list logo