On 19/10/16 11:35, [email protected] wrote: > Hey Kathleen, hey list, > > I really don't get why Mozilla is pushing so hard on the Chinese and > at the same time let others get away. For example the Comodo case > from today. Isn't that a much worse incident than what has happened > here.
Today at the CAB Forum I outlined some of Mozilla's thinking on how we rate the severity of incidents. It might be helpful to reproduce that here. This is what I said: <blockquote> Many CAs may have been looking at Mozilla’s actions a little nervously, conscious that they have had an issue or two in the past, and wondering where the tipping point is which might lead to the production of a WoSign-style “issue list”, and if they will ever hit it. It might therefore be worth noting that while CA incidents have differing levels of seriousness, there are some components which every CA should be able to avoid which are red flags for Mozilla in terms of a continued trust relationship, and which would lead to an investigation. They are: * Deliberate violation of Mozilla or other applicable policy * Lying or deception Mozilla will also assess how concerned we are about an issue in part based on how the CA reacts to that issue, and previous ones. In incident response, Mozilla is looking for the following factors: * A CA takes responsibility for their own actions. * Incidents are taken with an appropriate level of seriousness. * Incidents are handled with haste. * Root cause analysis is performed. * Any questions posed, by anyone, are answered quickly and in detail. * A reasonably-detailed report is made public on what happened, why, and how things have changed to make sure it won’t happen again. The recent issue experienced by Comodo was a good (albeit small) example of this being done. If people have further questions about this, they should feel free to ask, either now or privately. </blockquote> > People were able to issue certs for other people domains. When > I read the WoSign answer to the current case > (https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf) > I personally felt, that they completely understood the seriousness of > the situation. If you compare WoSign's responses over the entire period of investigation to the criteria above, I hope you can see how the two incidents are not comparable. In particular, they engaged in deliberate violations of Mozilla policy and lied to cover it up. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
