During the recent CA/Browser Forum meeting, I was asked to provide better
guidance on Mozilla's expectations for incident reporting. We're adding a
requirement for incident reporting to the new version of our policy [1],
but in this message I'm focused on the guidance provided on our wiki [2].
The question was when to add information to an existing bug versus creating
a new one. I'd like to propose adding the following guidance to the wiki to
address this question:

CAs should create a separate bug and file a new incident report when:
* In the process of researching one incident another incident with a
distinct root cause and/or remediation is discovered
* After an incident bug is marked resolved, the incident reoccurs

A third possible addition would be:
* When a CA accidentally or intentionally misses a revocation deadline, a
separate bug should/must be filed examining the root cause and remediation
for missing the deadline

I believe the argument for this is that tracking revocation issues
separately will help us to focus on improving the agility of the web PKI.
On the other hand, Mozilla has not generally required separate reports in
the past, and doing so certainly creates more work for everyone involved.
It's not clear to me that the benefit of this outweighs the cost.

Are there other examples that would provide helpful guidance to CAs?

I will appreciate everyone's input on this proposal.

- Wayne

[1]
https://github.com/mozilla/pkipolicy/blob/2.7/rootstore/policy.md#24-incidents
[2] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to