On Mon, Mar 30, 2020 at 5:43 PM Matt Palmer via dev-security-policy <[email protected]> wrote: > > On Mon, Mar 30, 2020 at 01:48:28PM -0700, Josh Aas via dev-security-policy > wrote: > > Matt - It would be helpful if you could report issues like this to the CA > > in question, not just to mdsp. > > Helpful to *whom*, exactly? I don't write up these reports to be helpful to > the CA in question; I write them to be helpful to the community. I don't > see how reporting these problems to an individual CA is helpful to anyone > except that one CA -- which, as I said, is not a goal I am aiming for here.
I don't think that's quite a particularly helpful stance to take :) Or, put differently, "why not both" That said, your specific incident was in the gray area, where you'd already previously reported compromise and the CA issued certs with known compromised keys. You shouldn't "have" to report those new keys, but it's still good form. > At any rate, since (as I understand it) all CAs are supposed to be watching > mdsp anyway, sending a report here should be equivalent to sending it to all > CAs -- including Let's Encrypt -- anyway. Ish? https://wiki.mozilla.org/CA/Incident_Dashboard specifically encourages reporters to file a new incident bug. https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report allows CAs to post to m.d.s.p. and a member will convert to a bug, but I don't think it should be, nor do I want, m.d.s.p. to be the general catch-all reporting mechanism for general users :) For one, as you can see by my timeliness to the threads, it makes it hard to respond and triage appropriately. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
