On Thu, Dec 19, 2019 at 9:23 AM Wayne Thayer via dev-security-policy < [email protected]> wrote:
> On Tue, Nov 26, 2019 at 6:10 PM Nick Lamb via dev-security-policy < > [email protected]> wrote: > > > On Mon, 25 Nov 2019 14:12:46 -0800 > > Kathleen Wilson via dev-security-policy > > <[email protected]> wrote: > > > > > CAs should have been keeping track of and resolving their own known > > > problems in regards to not fully following the BRs and Mozilla > > > policy. For example, I expect that a situation in which I responded > > > with an OK in 2016 would have been corrected in the 3 years since > > > that email was written. > > > > Perhaps to this end it would be useful for Mozilla's periodic survey > > letters to always ask each CA to list any exceptional circumstances they > > believe currently apply to them? > > We've included a question about complying with the intermediate audit > requirements in the January survey, but not a more general question about > exceptions. I feel that an open-ended question such as this will be > confusing for CAs to answer, and moreover I don't want to create the > impression that Mozilla grants exceptions for policy violations because, as > a general rule, we don't. > This would act both as a reminder to Mozilla of any such exceptions > > which they granted but may have assumed meanwhile ceased to be > > relevant, AND to the CA of any such exceptions upon which they find > > themselves still relying. > > > > The publication of CA responses is an opportunity for Mozilla, Peers > > and the wider community to comment on any discrepancy. > Maybe rather than including it in the survey, Mozilla should make a requirement that exception information be included in the yearly reporting? It could simply be a separate letter from the CA management requesting a continuation of the exception or could be a statement of excluded topics in the auditor's report, depending on the situation and structure of the audit. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
