On Mon, Jan 26, 2015 at 01:25:50PM -0800, Ryan Sleevi wrote: > To offer concrete suggestions on this:
I'm not sure what you mean exactly, so I'm going to give examples. Assuming the last audit period was 2013-01-01 to 2013-12-31, and the audit statement on 2014-03-15. According to the BR rules they would have 3 months to provide the new audit report, so the old expires and the new must be received by 2015-04-01. > - A 90-day until audit expiration reminder: So this would be send around the 2015-01-01? > - A 30-day until audit expiration reminder: So that would be around the 2015-03-01? > - 30 days after 1y has elapsed from the previous audit date > (traditionally, this means 15 months that the CA has been issuing > certificates since their last audit period) That would be around 2015-04-15? Or around 2015-05-01? What would happen in case the previous audit statement was already received on 2015-01-15? Around 2015-04-01? > - Periodic 15d reminders until non-compliance is remedied Between 2015-05-01 and 2015-06-15? > - Within 6mo after the audit, Mozilla takes concrete actions upon the CA 2015-07-01? Or 2015-09-15? I'm in favour of expressing everything based on the period that the audit statement covered and the expiration date (15 months after the end of the audit period) that goes with it. I suggest the following instead: - 3 months, 1 month and 2 weeks before expiration: reminder that it's going to expire. - date of expiration and 2 weeks later: saying that it expired - starting 1 month after expiration, every 2 weeks: adjust the database to indicate that it expired and remind them that it expired and if they don't act soon that they will be removed. - 3 months after expiration: remove trust settings, add reject settings, send them the last mail. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
