I don't follow, Microsoft build infra was just recently popped?
Sure, if the frequency was capped somehow, that would be acceptable? Let's say, the law encodes some SLA for vendors that you believe package signing infrastructure can reasonably sustain. I don't know if the law can do that, but for discussion purposes.
-
-
Rate limiting frequency would need to be one mitigation for sure, doesn’t address the complexity of authorization verification, especially when looking at their supposed SLA goals of a hours to days turn around.
-
Consider the efficacy of EV verification today (woefully insufficient even for use) as the best case and this is much harder because it’s a authorization not authentication verification that needs to take place.
- 10 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
