Hi Jeremy,

On 09/08/17 21:57, Jeremy Rowley wrote:
> I was thinking you should just have the Cas add them all for you.  Makes it
> easier on you and demonstrates they are tracking and remediating these
> issues.  If I were going to create a bug for these in Mozilla would you
> prefer to see one bug per issue on one bug per CA. For example, should there
> be a bug for all DigiCert issues or should there be one that describes too
> long of serial number and another that says the field contains meta-data? 

That is a good point. Thank you for the suggestion.

I would like one bug per root cause, ideally, but as bugs can be more
easily duplicated against each other than split, err on the side of one
bug per issue if the root causes have not been determined with
sufficient clarity yet.

If CAs wish to file bugs about their own issues, they should do so here:

https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Mis-Issuance

(We use the term "mis-issuance" broadly here.) Please include in the
initial comment at least a full copy of the original report from this
group, although you may elide details of certificates from other CAs.

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to