On 09/13/2011 03:38 PM, Gervase Markham wrote:
On 13/09/11 13:06, Marsh Ray wrote:
Or not, like the Dutch government, have the pull to convince Mozilla to
hesitate for a few days to revoke your pwned CA.
That is rather unfair. You make it sound like they asked, and we
complied. In truth, we relied on an assessment of the situation from
GovCERT, the Dutch CERT - who have a decent reputation. When their
assessment changed, we changed our position; whether they should have
made their initial assessment the way they did is a good question, and
one which concerned parties should ask them.
It is certainly not an obvious truth, even more so in the heat of the
moment, that a compromise of one part of a certificate hierarchy at a CA
necessarily means that an entirely different one is also compromised. It
may, it may not - that depends on the arrangement and interlinking or
otherwise of the issuance systems.
Anyway, regardless, the situation is more complex than your allegation
of back-room influence.
Yes, I believe that and apologize if I characterized it unfairly.
That was just the impression I was left with reading the various
explanations and interpretations of what was going on over those few
days. I'm sure they weren't very accurate.
I can only imagine how hectic that process was for the parties involved
and how complex a decision it must have been. Please understand that
folks like me are looking it at all through a somewhat obscured window.
Sorry again.
- Marsh
_______________________________________________
websec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/websec
