On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > I'm after the specifics of the changes to WoSign's policies and procedures > regarding *notification*, not quality control. What were WoSign's previous > policies and procedures regarding notification (obviously there was > something in place, since Google was notified), and what changes have been > made to improve those policies to ensure that all root programs are notified > in line with each program's requirements in the future?
Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them. It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy