I'd rather deal with disruption caused thereby (and, yes, the user complaints generated thereby -- at least then the end-user would KNOW that there's a problem that's being dealt with rather than having a FALSE SENSE OF SECURITY) than let those potential security breaches continue to wreak their quiet little havoc.
-Kyle H On Tue, Dec 23, 2008 at 11:15 AM, Hendrik Weimer <hend...@enyo.de> wrote: > Frank Hecker <hec...@mozillafoundation.org> writes: > >> My intent is to balance the disruption that would be caused by pulling >> a root vs. the actual security threat to users. Right now we have no >> real idea as to the extent of the problem (e.g., how many certs might >> have been issued without proper validation, how many of those were >> issued to malicious actors, etc.). > > Isn't that, by itself, a very good reason to take immediate action? > Security should be default-fail rather than default-pass. > > Hendrik > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
