On Thu, 19 Dec 2019 10:23:19 -0700 Wayne Thayer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> We've included a question about complying with the intermediate audit > requirements in the January survey, but not a more general question > about exceptions. I feel that an open-ended question such as this > will be confusing for CAs to answer, and moreover I don't want to > create the impression that Mozilla grants exceptions for policy > violations because, as a general rule, we don't. As a general rule you don't grant exceptions, and so exceptions are let's say, an exception to that general rule? Hence the name. So, to the same end as my original proposal, I recommend instead that Mozilla personalizes any CA survey sent out to a CA which they believe currently benefits from any such exceptions - setting out what those exceptions to its rules are for that CA. And in all communications the text should be clear that any exceptions the CA believed were in place are in fact spent as far as Mozilla is concerned unless they are enumerated in this communication. In the event there are in fact NO exceptions, that's just one small tweak to the text. In the event that one or two CAs benefit from some minor exception which still has force, it's a little bit of work, and in the process a firm reminder to both Mozilla and the CA of the ongoing price of such exceptions. And in the event that it's actually dozens of exceptions across many or most CAs I hope the realisation of the effort involved will cause Wayne to reconsider his previous claim that "as a general rule, we don't". One valuable opportunity from m.d.s.policy is for CAs to learn from each others mistakes and in doing so avoid making the same or similar mistakes themselves. But Mozilla has opportunities to learn from mistakes here too, and I feel as though the mismatch between Kathleen's expectation (that a situation should have "resolved" since 2016) and the CA's understanding (that this constituted an indefinite exception to Mozilla policy) is such a mistake. Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy