On Tuesday, August 15, 2017 at 1:00:04 PM UTC-7, Jonathan Rudenberg wrote: > It’s worth noting that with the exception of the metadata-only > subject fields issue, Alex and I have attempted to contact every > CA listed directly via their public certificate problem reporting channels.
Good point, so in each Bugzilla Bug I should also add the item that their certificate problem reporting channel might be broken. > In addition to this, the Mozilla Root Store policy requires all CAs > to monitor this mailing list. Mozilla's Root Store policy says: "CAs MUST follow and be aware of discussions in the mozilla.dev.security.policy forum, where Mozilla's root program is coordinated." There is no indication about how frequently a representative of the CA must check the m.d.s.policy discussions. And what about when a CA's representative is on vacation? (e.g. the month of August for many CAs) Do we really expect them to monitor m.d.s.policy while on vacation? (I don't even monitor it myself while I'm on vacation.) Also, for many of the subjects for the posts in m.d.s.policy I could see that whomever is monitoring the discussion forum might assume certain posts do not apply to their CA. Cheers, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy