Wow, traffic on this group has exploded :-) Thank you to everyone who
has been bringing incidents to our attention.
Clearly, many of these items need official responses and action from
representatives of the Mozilla root program. I have been on holiday
quite a lot recently, and that includes this week, and any time I have
had has been fighting fires relating to my other responsibilities and
requirements placed on me. But please rest assured, all this has not
In the mean time, I would hope CAs would be picking up incidents
relating to themselves, doing investigations and publishing
best-practice-style incident reports here once those investigations were
concluded. I probably need to write a wiki page on this, but in brief
best practice involves much more than "we revoked the certificates
concerned", it needs to say "this is how this happened", and "this is
what we've done/are doing to make sure it won't happen again".
dev-security-policy mailing list