(In reply to Man Ho from comment #12) > During the incident, we immediately made an urgent request to the vendor's management, emphasizing the need for prompt resolution as a top priority. We closely monitored the delivery of the tailor-made system patch and allocated additional resources for thorough system testing and regression testing upon its receipt ensuring the system patch could be applied at the earliest time. And yet, it took a month. That you pushed the vendor so hard in this case and it took a month is not a point in favour of your ability (really willingness) to meet your commitments. Ultimately, though, it would have been the same problem if you’d had in-house software that took a month to fix, so this is more an expression of concern for your sake than a material concern. You assume the risk for using a vendor’s software and not having an agreement with them that ensures that you get fixes in the timelines required by your commitments to the BRs, and that is a perfectly legitimate choice for you to make. What is *not* acceptable is for you to push that risk onto the users of the WebPKI through willful non-conformance. > We are committed to follow Mozilla’s revocation guidelines for handling the revocation of mis-issued certificates. **What is different about your commitment now, versus at the beginning of the underlying incident? Were you not committed to following the revocation guidelines then?** But also, you quite conspicuously did not answer these questions from the comment you replied to: (In reply to Mike Shaver (:shaver -- probably not reading bugmail closely) from comment #11) > **Was (having subscribers obtain replacement certificates from another CA that was capable of issuing correct certificates) discussed with subscribers? If not, why not? If so, why was it not pursued?** I think that failure to do that, and instead keeping invalid certificates live for a *month*, is a very serious issue and I think Hongkong Post should explain their reasoning very clearly—keeping in mind that their first responsibility as a CA is to the WebPKI, and not to the convenience of their customers, or to them keeping those customers. I have bolded my questions in this comment to make it easier for you to ensure that you respond to all of them.
Bug 1887888 Comment 13 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
(In reply to Man Ho from comment #12) > During the incident, we immediately made an urgent request to the vendor's management, emphasizing the need for prompt resolution as a top priority. We closely monitored the delivery of the tailor-made system patch and allocated additional resources for thorough system testing and regression testing upon its receipt ensuring the system patch could be applied at the earliest time. And yet, it took a month. That you pushed the vendor so hard in this case and it took a month is not a point in favour of your ability (really willingness) to meet your commitments. Ultimately, though, it would have been the same problem if you’d had in-house software that took a month to fix, so this is more an expression of concern for your sake than a material concern. You assume the risk for using a vendor’s software and not having an agreement with them that ensures that you get fixes in the timelines required by your commitments to the BRs, and that is a perfectly legitimate choice for you to make. What is *not* acceptable is for you to push that risk onto the users of the WebPKI through willful non-conformance. > We are committed to follow Mozilla’s revocation guidelines for handling the revocation of mis-issued certificates. **What is different about your commitment now, versus at the beginning of the underlying incident? Were you not committed to following the revocation guidelines then?** [Edit: the remainder of this comment was in error, and I apologize for it.] ~~But also, you quite conspicuously did not answer these questions from the comment you replied to: (In reply to Mike Shaver (:shaver -- probably not reading bugmail closely) from comment #11) > **Was (having subscribers obtain replacement certificates from another CA that was capable of issuing correct certificates) discussed with subscribers? If not, why not? If so, why was it not pursued?** I think that failure to do that, and instead keeping invalid certificates live for a *month*, is a very serious issue and I think Hongkong Post should explain their reasoning very clearly—keeping in mind that their first responsibility as a CA is to the WebPKI, and not to the convenience of their customers, or to them keeping those customers. I have bolded my questions in this comment to make it easier for you to ensure that you respond to all of them.~~