Mozilla's Enforcement Policy indicates what to do when a serious security concern is noticed, but does not indicate what to do when a lesser security concern is noticed.
The current text is now in section 7, and says: "Changes that are motivated by a serious security concern such as a major root compromise SHOULD be treated as a security-sensitive bug, and the Mozilla Policy for Handling Security Bugs SHOULD be followed." However, the Mozilla Policy for Handling Security Bugs is really an internal Mozilla document, and no longer describes (if it ever did) the bug filing process. Also, those SHOULDs should be MUSTs. I propose instead: "Changes that are motivated by a security concern such as certificate misissuance or a root or intermediate compromise MUST be treated as a security-sensitive, and a <a>secure bug filed in Bugzilla</a>. The link would be directly to the bug filing page, to file a bug in our shiny new component for such things: https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance&groups=crypto-core-security We should also update the other instance of that old link in this way (in section 4.1). This is: https://github.com/mozilla/pkipolicy/issues/17 ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
