On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote:
> I'm after the specifics of the changes to WoSign's policies and procedures
> regarding *notification*, not quality control.  What were WoSign's previous
> policies and procedures regarding notification (obviously there was
> something in place, since Google was notified), and what changes have been
> made to improve those policies to ensure that all root programs are notified
> in line with each program's requirements in the future?

Clarification: In none of these incidents was Google notified proactively by 
WoSign. Instead, Google received communication from internal or external 
researchers regarding these issues, either prior to resolution or much later 
after the fact, and subsequently contacted WoSign regarding them.

It was only when Google found out recently that other programs were NOT 
notified, proactively, as had been expected, that Google shared the details it 
was aware of regarding various CA incidents, including those of WoSign, 
mentioned in this thread.
dev-security-policy mailing list

Reply via email to