On Sunday, 13 August 2017 04:04:45 UTC+1, Eric Mill wrote: > While not every issuing CA may take security seriously enough to employ > engineers on staff who can research, author and deploy a production code > fix in a 24 hour period, every issuing CA should be able to muster the > strength to keep the community informed of their plans and progress in > however long it takes to address the issue.
In my opinion the correct incentive structure here is: We don't care whether you ever start issuing again but if you have a limited time to stop the problem, if you can't fix it quickly that will be by ceasing issuance. Switching off the issuance pipeline in a timely fashion when a problem is uncovered (so that things stop getting worse) needs to be something every CA can do. It should always be within the skill set of personnel available "on call" when things go wrong. But whether they have engineers able to actually fix a problem the same day, the next day or a month later is an operational detail for the CA leadership. For commercial CAs there is presumably some trade-off between the need to be seen as a reliable supplier for repeat subscribers and the cost of having on-call engineers. But it needn't concern m.d.s.policy where they think best to draw the line, so long as they prevent the problem recurring by switching off an affected issuance pipeline until it's fixed. I am minded to draw comparison to "emergency plumber" services. Despite it being an "emergency" the plumber will be no more quickly able to source parts from a discontinued product line, or plan and install complex new systems than a non-emergency plumber. Those things may still take weeks. But what they can always do immediately is switch off supply of water or gas so as to stop things getting worse. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
