Hacker News new | ask | show | jobs
by zenexer 2175 days ago
Flagging for a title change, as the revocation deadline was proposed by a single individual on a mailing list, and there’s no evidence from further discussion in that thread that a consensus has been reached. I would not expect all these certificates to be revoked within 7 days.
3 comments
EE84M3i 2175 days ago
That "single individual on a mailing list" is Ryan Sleevi, who is basically the voice of Google in all matters to do with TLS PKI, and as I understand it is not working with a "opinions my own" cop-out in this context. It's not some rando
link
dlgeek 2175 days ago
In addition to his role with Google/Chrome, he is also a peer of the Mozilla CA module and has a lot of influence in Mozilla's policies as well.
link
zenexer 2175 days ago
It’s still one person. There needs to be a consensus, and that consensus hasn’t been reached. As has already been mentioned in other comments, Mozilla said they wouldn’t enforce the 7-day deadline.
link
floatingatoll 2175 days ago
Flagging doesn’t result in title changes, it just terminates the post. Emailing the mods using the footer Contact link does, though.
link
zenexer 2175 days ago
Thanks. It’s a moot point now, but I’ll note that for the future.
link
mbrinkers 2175 days ago
I changed the title. Although I heard from someone involved that the intermediates really should be revoked in 7 days. Let's wait and see.
link
zenexer 2175 days ago
They definitely should be—that’s what the author is claiming is mandated, and it would make sense. However, I’m a bit skeptical about browsers being able to enforce that timeline here.

Also, given that the underlying cause appears to be ignorance, it would be prudent to take things slow and ensure that this doesn’t happen again. As I said before, the damage is already done—revoking appears to be insufficient here.

If this does actually happen within 7 days, though, I will be thoroughly impressed.

link
floatingatoll 2175 days ago
It could be considered a tacit warning that browsers may choose to mistrust the impacted subCAs in the near future. I don’t know the specifics, but I assume they can revoke for non-compliance using in-browser mechanisms without depending on the revocation process.

EDIT: Mozilla’s reply: https://news.ycombinator.com/item?id=23748561

link
tptacek 2175 days ago
You don't have to trust Sleevi (though: you always should); you can just read the BRs. The revocation requirement is in this case black-letter SHALL.

https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-...

link