On Tue, Mar 12, 2019 at 4:38 PM Jeremy Rowley via dev-security-policy < [email protected]> wrote:
> I think the primary change I’m proposing is that the initial report > shouldn’t be an incident report. Instead, the initial report can be short > blurb posted to Mozilla along with a description on what the Ca plans to > do. Then the community can talk about the plan in addition to the incident, > rather than just the incident. > Thanks for clarifying, and hopefully I'm not reducing the context too much. I think if it's before a CA has missed a revocation deadline, that's exactly what's possible. However, once a CA has missed the deadline captured in the Baseline Requirements, it's expected to be an incident report and it's expected that the CA will have a plan on how to resolve it. I can see a number of ways in which things could go wrong if the CA isn't required to have a plan until they've discussed it with m.d.s.p. CAs are trusted, in theory, because they're able to apply meaningful judgement and to comply with Root Program policies and the Baseline Requirements. As an example of where this absolutely could backfire, imagine that a CA waits to take action for a given incident, because they're hoping some other CA is affected and that will somehow alter their own need to be responsive. Alternatively, imagine a CA that is not adequately staffed and simply seeks to crib from other CA's responses - not really providing the community any assurances that the particular CA understands the issues or their own need to be responsive. Imagine a CA that tries to sockpuppet their way into suggesting revocation isn't "really" necessary. We trust CAs to be responsive and to take corrective steps when they're non-compliant. The Incident Reports provide an avenue of transparency for that, helping the community develop assurance and mitigate concerns that might exist or be introduced by a given plan. However, I would much rather be in a place where we're seeing CAs take meaningful corrective actions as quickly as possible, and I worry that this proposal would fundamentally discourage it, because it benefits those who wait the longest. I don't think that's the intent, but I think that's a natural consequence. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
