I'm not sure there should be a strict requirement that you can't provide that communication (sometimes there is good reason to get people talking together). However, we don't forward this information as policy because we like to get the reports. Anything that ends up stifling getting the information is worse for us and hinders getting third party input on improvements on our operation. A Mozilla policy or CAB forum policy against disclosure seems like a bad idea since there are cases of abuse that could happen give the broad range of potential reasons for revocation under the BRs, some of which may require corroboration between the reporter and site owner, like "accurate information" or "misuse".
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Matthew Hardeman via dev-security-policy Sent: Thursday, August 22, 2019 9:49 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: CA handling of contact information when reporting problems I'm merely a relying party and subscriber, but it seems quite unreasonable to believe that there is or should be any restriction upon a party to a business communication (which is what a report / complaint from a third party regarding key compromise, etc, is) from further dissemination of said communications. It seems to me quite a stretch to suggest that the even the GDPR restrains such behavior. Are people seriously suggesting that a third party, with whom you have no NDA or agreement in place, may as much as email you and expect you to take action based upon said email AND expect that you be enjoined from as little as forwarding a copy of that email? That seems absurd. _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy