On 01/03/2009 04:43 PM, Ian G:
What incentive exists for a CA in disclosing an apparent weakness?
Quite frankly, none.
We've seen both sides over the last 2-3 weeks.
Not entirely correct...but...
So I guess there are two questions: 1. do we want to live in the world of open disclosure, or the world of pretty facades? 2. if the former, how do we create the incentives such that all prefer to disclose up front?
...I wouldn't be willing to disclose each and every detail of code, preventive measures, controls and procedures and possible events. But since there was not much to hide anymore from our incident and the cat is out of the bag anyway and since the event has been dealt with correctly IMO and the vulnerability neutralized, there was no problem providing now some details about it. Better than have rumors and people guessing...
However depending on the severity, reporting and disclosing is not a privilege. But I'm not sure if it can be enforced.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
