The CCADB stores a couple of different types of "contact" records:
* Primary POC (1 or more): someone who is "authorized to speak for and to bind the CA that they represent." * POC (0 or more): Another contact at that CA. * Email Alias (1 or 2): defined as "more likely to continue working as personnel change". All are per-organization values, and I don't believe any of them are published. However, this then leads to a question about which contacts should be used in what circumstances. The Common CCADB Policy says: "Notification of security and audit-related issues will be emailed to all POCs and the email aliases; CAs are advised to supply sufficient POCs that will enable them to respond to an issue promptly." This is a bit of an administrative pain. The proposal is to change things to put the burden of ensuring the appropriate distribution of messages on to the CA. In future, we would just email the first email alias; CAs are responsible for making sure that value is a mailing list which goes to all appropriate parties or systems necessary to provide a timely response. Any objections? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
