[Dayshine]

I'm not saying Mozilla isn't a good organisation to run this, I'm saying it seems insane to have what seems like policies that don't allow for any proportional response.

I don't know how involved you are, but to a lay observer this story seems like Mozilla's policies are entirely black and white, to the benefit of nobody (except perhaps to reduce work I suppose, which is reasonable, but not really a valid reason in terms of security)

Is there no tiered approach to risks? Hell, in this situation it seems like more harm and risk will have been created by the rush to reissue certificates that would have been caused by this theoretical security vulnerability.

Edit: Actually, on further reading, it seems like the issue is more that Actalis didn't correctly invoke their right to this discretionary power?

[sleevi]

You may also enjoy https://wiki.mozilla.org/CA/Incident_Dashboard , which all the CAs responding to such incidents need to be aware of, and which shows that there is a rather large amount of proportionality, based on an appropriate degree of transparency and communication.

[Dayshine]

That is very interesting, thank you. And yes, the tone and approach in all the incidents I read through there seemed great.