From:  Matt Palmer <mpalmer@hezmatt.org>
Date:  27 May 2019 13:32:15 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.security.policy
Subject:  

Re: Does Heartbleed count for the purposes of BR 4.9.11 point 11? ("proven or demonstrated method")

NNTP-Posting-Host:  63.245.210.105

On Mon, May 27, 2019 at 06:06:42AM +0300, Ryan Sleevi wrote:
> On Mon, May 27, 2019 at 4:34 AM Matt Palmer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > That sounds an *awful* lot like Heartbleed: "a [...] proven method that
> > exposes the Subscriber's Private Key to compromise".
> >
> > Several questions arise from this, which I'd like to get the opinion of the
> > members of this illustrious debating society:
>
> Have you read through the archives? This was already discussed and decided
> as part of handling Heartbleed. This was debated at length, in particular
> as at least one (but possibly more) CAs charged for revocation, which
> created challenges and potential conflicts with the contemporaneous BRs and
> Policy.

Are you referring to the m.d.s.p archives, or somewhere else?  (Perhaps
public@cabforum?) I have, in fact, gone through the m.d.s.p archives, and I
can't see anything that addresses what I'm asking.  I can't even find a
"lengthy" thread in
https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/heartbleed%7Csort:date
from around the time of Heartbleed that actually discusses revocation policy
in any detail, just a couple of big ones that mention it in passing (like
"DRAFT: May CA Communication").

The thread that seems to come closest to touching on the issues is from
2017, and doesn't start off discussing Heartbleed, but rather just a mass of
compromised keys: https://groups.google.com/d/msg/mozilla.dev.security.policy/71AXGTgcX9c/skHsKFdDBAAJ
I assume that isn't the discussion you were referring to, because it is so
far removed, temporally, from "handling Heartbleed".

I would appreciate it if you could point me specifically to the relevant
past discussions, so I can inform myself of the past decision.

- Matt