I owe an apology, I clearly missed the entire first paragraph of your response. (In reply to Man Ho from comment #12) > (In reply to Mike Shaver (:shaver -- probably not reading bugmail closely) from comment #11) > > > Was this option discussed with subscribers? If not, why not? If so, why was it not pursued? > > sissued a certificate due to a bug in their software? > > When our major customers were made aware of the incident, we entered into discussions about this option. They have carefully evaluated the impact of this option and considered various factors such as the certificate application process, system changes that may involve, additional manpower requirements, internal policy and guidelines and so on. Eventually, they have not taken the option. Were the subscribers informed about your duty to revoke under the BRs? Did you set a maximum time that you would wait for a fix before revoking without being able to issue a replacement? Would you have waited two months to revoke? A year? If the alternative to switching to another CA is “nothing happens” then obviously it is less work and disruption for them to just wait. They made a legal agreement to tolerate immediate revocation, though, and the purpose of that agreement is to protect CAs such that they can do their agreed duty to uphold the BRs. Instead it seems that Hongkong Post decided to disregard the crystal-clear intent of the BRs, putting the convenience of their subscribers ahead of their responsibilities to the WebPKI. So only the most important question remains, I think: ** What is different about your commitment now, versus at the beginning of the underlying incident? Were you not committed to following the revocation guidelines then?**
Bug 1887888 Comment 14 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I owe an apology, I clearly missed the entire first paragraph of your response. (In reply to Man Ho from comment #12) > (In reply to Mike Shaver (:shaver -- probably not reading bugmail closely) from comment #11) > > > Was this option discussed with subscribers? If not, why not? If so, why was it not pursued? > > sissued a certificate due to a bug in their software? > > When our major customers were made aware of the incident, we entered into discussions about this option. They have carefully evaluated the impact of this option and considered various factors such as the certificate application process, system changes that may involve, additional manpower requirements, internal policy and guidelines and so on. Eventually, they have not taken the option. Were the subscribers informed about your duty to revoke under the BRs? Did you set a maximum time that you would wait for a fix before revoking without being able to issue a replacement? Would you have waited two months to revoke? A year? If the alternative to switching to another CA is “nothing happens” then obviously it is less work and disruption for them to just wait. They made a legal agreement to tolerate immediate revocation, though, and the purpose of that agreement is to protect CAs such that they can do their agreed duty to uphold the BRs. Instead it seems that Hongkong Post decided to disregard the crystal-clear intent of the BRs, putting the convenience of their subscribers ahead of their responsibilities to the WebPKI. So only the most important question remains, I think: **What is different about your commitment now, versus at the beginning of the underlying incident? Were you not committed to following the revocation guidelines then?** And, why was a detailed list of subscribers with the rationale for an “exceptional” delay in revocation not provided? The BRs require more than a mere certificate list and summary of some subscribers’ preference to not expend “additional manpower”, in my opinion.