Thank you to Alexander Sotirov for a detailed account of his research team's communications with Microsoft and the subsequent e-mails on the topic. Alexander's account is available at this link for reading, and for the sake of this post I'll try to paraphrase as fairly as possible. After explaining the researchers' motivations and the steps Alexander et. al. took to ensure that their attack was not usable by an outside malicious party, this missive goes on to detail the timeline and content of messages with Microsoft on the topic of sharing this information with the CA in question, which happened to be VeriSign.
Based on the content of this message it appears that we lost some of the information internally. I expect that owes itself to the small number of individuals involved and their vacation schedules. It still doesn't appear to me that we knew when and where this announcement would take place (certainly I did not), and when the likes of Wired and The Washington Post began calling me for comment on December 29 I was not aware of the announcement that was coming nor the details of the attack.
Based on this new post it appears that Alexander Sotirov and his companions did indeed ask an intermediary, Microsoft, to contact VeriSign.
The timing of that contact diminished its ability to help us considerably. I don't know anybody at VeriSign who had information about when and where this presentation would take place. I learned that on my own from H.D. Moore's blog post on the topic shortly beforehand.
As stated elsewhere, MD5 was slated for discontinuation anyway, which made it expedient to push the update live more quickly. If the larger organization had been cognizant of this issue (for example if the information had come to us during something resembling a normal work week), I expect the fix would have been live before the presentation happened. As it was, we were engaged in last-minute detective work to try to understand what would be announced and when. The sense of frustration I expressed to Wired and others was quite real, as at that time we had a reported security vulnerability and no clear, available information on what it was. We're never going to be happy about such a situation.
So what should have been different? Well, first of all, our channels did appear to break down internally, probably because of the holiday schedule. VeriSign has normal escalation paths for critical issues that run 24 x 365, but this information didn't come in through them. So yes, the information may have been in the hands of someone who worked for VeriSign, but it didn't get to the places it needed to get to for rapid resolution. It would have been a lot better if we'd been informed on almost any other day of the year. I don't know if there was a specific reason why this communication had to come on Christmas Eve, but in the future I'll encourage others to consider the calendar when making this kind of outreach.
The big takeaway for me from this incident is that we need an environment where researchers and security vendors can trust each other. Alexander has explained why his team did not feel they could place that trust in VeriSign. I have explained why I feel they could have. We at VeriSign would like to see an environment where researchers need not mistrust security vendors and vice versa. We're committed to doing our part to bring back that environment, and we encourage security researchers in the future to reach out directly to us. We promise to treat you fairly and respectfully.
In summary, thank you for this additional information, Alexander. As I stated earlier, I want to give credit where it is due. I apologize if anything I wrote gave you offense. Everything I wrote was aimed at sincerely representing the facts as I understood them at the time.