On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote:
> On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy <
> email@example.com> wrote:
> > That sounds an *awful* lot like Heartbleed: "a [...] proven method that
> > exposes the Subscriber's Private Key to compromise".
> > Several questions arise from this, which I'd like to get the opinion of the
> > members of this illustrious debating society:
> Have you read through the archives? This was already discussed and decided
> as part of handling Heartbleed. This was debated at length, in particular
> as at least one (but possibly more) CAs charged for revocation, which
> created challenges and potential conflicts with the contemporaneous BRs and
Are you referring to the m.d.s.p archives, or somewhere else? (Perhaps
public@cabforum?) I have, in fact, gone through the m.d.s.p archives, and I
can't see anything that addresses what I'm asking. I can't even find a
"lengthy" thread in
from around the time of Heartbleed that actually discusses revocation policy
in any detail, just a couple of big ones that mention it in passing (like
"DRAFT: May CA Communication").
The thread that seems to come closest to touching on the issues is from
2017, and doesn't start off discussing Heartbleed, but rather just a mass of
compromised keys: https://groups.google.com/d/msg/mozilla.dev.security.policy/71AXGTgcX9c/skHsKFdDBAAJ
I assume that isn't the discussion you were referring to, because it is so
far removed, temporally, from "handling Heartbleed".
I would appreciate it if you could point me specifically to the relevant
past discussions, so I can inform myself of the past decision.