* Hendrik Weimer: > Frank Hecker <hec...@mozillafoundation.org> writes: > >> My intent is to balance the disruption that would be caused by pulling >> a root vs. the actual security threat to users. Right now we have no >> real idea as to the extent of the problem (e.g., how many certs might >> have been issued without proper validation, how many of those were >> issued to malicious actors, etc.). > > Isn't that, by itself, a very good reason to take immediate action? > Security should be default-fail rather than default-pass.
This is not about security, this is about the presence or absence of an obscure browser warning. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
