Yes, sorry for this.

As I admitted that this discussion gives us a big lesson that we know when we 
need to report incident to all browsers. We guarantee we will do it better.

Best Regards,


-----Original Message-----
From: dev-security-policy 
[] On 
Behalf Of Ryan Sleevi
Sent: Friday, August 26, 2016 8:16 AM
Subject: Re: Incidents involving the CA WoSign

On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote:
> I'm after the specifics of the changes to WoSign's policies and 
> procedures regarding *notification*, not quality control.  What were 
> WoSign's previous policies and procedures regarding notification 
> (obviously there was something in place, since Google was notified), 
> and what changes have been made to improve those policies to ensure 
> that all root programs are notified in line with each program's requirements 
> in the future?

Clarification: In none of these incidents was Google notified proactively by 
WoSign. Instead, Google received communication from internal or external 
researchers regarding these issues, either prior to resolution or much later 
after the fact, and subsequently contacted WoSign regarding them.

It was only when Google found out recently that other programs were NOT 
notified, proactively, as had been expected, that Google shared the details it 
was aware of regarding various CA incidents, including those of WoSign, 
mentioned in this thread.
dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to