At this point we have a few choices:
1. Do nothing about requiring email as a problem reporting mechanism.
Instead, take on the related issues of disclosure of the reporting
mechanism and receipt confirmation in Mozilla policy, via the CAB Forum, or
both.
2. Go ahead with the proposal to require email, but allow CAs to require
some special, but standardized identifier be placed in the message that
they can filter on. For example, CAs could ignore messages sent to their
problem reporting address unless the subject contains the phrase "problem
report".
3. Develop some new problem reporting mechanism that solves the problems
with email and forms. For example, we could require CAs to accept problem
reports posted to this list, but build in some additional time in which to
"receive" the report by reading list messages. Or we could require CAs to
accept problem reports via Bugzilla. We already see problems being reported
via these mechanisms and require CAs to monitor both of them, just not on a
24x7 basis.
The first option ('do nothing') is currently in the lead, so I would
especially like to hear from anyone who wants to argue for a different
solution.
- Wayne
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
