Re: [websec] Certificate Pinning via HSTS (.txt version)

[Marsh Ray <marsh@extendedsubset.com>]

On 09/13/2011 03:38 PM, Gervase Markham wrote:
> On 13/09/11 13:06, Marsh Ray wrote:
>> Or not, like the Dutch government, have the pull to convince Mozilla to
>> hesitate for a few days to revoke your pwned CA.
>
> That is rather unfair. You make it sound like they asked, and we
> complied. In truth, we relied on an assessment of the situation from
> GovCERT, the Dutch CERT - who have a decent reputation. When their
> assessment changed, we changed our position; whether they should have
> made their initial assessment the way they did is a good question, and
> one which concerned parties should ask them.
>
> It is certainly not an obvious truth, even more so in the heat of the
> moment, that a compromise of one part of a certificate hierarchy at a CA
> necessarily means that an entirely different one is also compromised. It
> may, it may not - that depends on the arrangement and interlinking or
> otherwise of the issuance systems.
>
> Anyway, regardless, the situation is more complex than your allegation
> of back-room influence.

Yes, I believe that and apologize if I characterized it unfairly.

That was just the impression I was left with reading the various 
explanations and interpretations of what was going on over those few 
days. I'm sure they weren't very accurate.

I can only imagine how hectic that process was for the parties involved 
and how complex a decision it must have been. Please understand that 
folks like me are looking it at all through a somewhat obscured window.

Sorry again.

- Marsh