On 05/10/17 05:57, Kathleen Wilson wrote: > Bug Filed regarding PROCERT Action Items: > https://bugzilla.mozilla.org/show_bug.cgi?id=1405862
Hi Kathleen, I know you have already filed the bug, but I think that perhaps the list of action items might need to be a bit more detailed and/or rigorous than it is at the moment. For example, I think there is wisdom in what Ryan says about setting an amount of time before a company can re-apply. In the case of StartCom we did not set such a time, because I had thought they might do what I recommended, which was to switch back from the new WoSign infra that we didn't trust to the original StartCom infra, which we did. However, they instead chose to implement new infra from scratch and rushed it, with the result being the use of PHP, the use of coders without sufficient training in security, and some terrible code written under extreme time pressure driven by commercial considerations. We did give WoSign a time limit of 1 year, although it seems that they (now called WoTrus) have not yet applied for re-inclusion. So I think it would be appropriate for us to set a minimum period before PROCERT can re-apply, and that it be longer than 1 year. In addition, we do need to address the question of how we can ascertain that the organization has acquired the technical competence and management rigour which seems to be lacking. I know you have placed some audit requirements in there, but I do think we need to discuss whether those will provide a sufficient guarantee and, if not, if there's anything that could. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
