All,
First, I would like to add a personal note that I am truly sorry about
the many people, families, and colleagues that are being impacted by the
Coronavirus. This is a heartbreaking situation.
At Mozilla, our responsibility lies in ensuring people's security and
privacy as they navigate the internet. Protecting our users and the
integrity of the web is the reason Firefox exists. The best approach to
do this is to work with certificate authorities as partners, through
open and frank communication.
We will continue to follow our standard process to adjudicate the issue
regarding failures to provide CA audit statements [1] and we will work
with the impacted CAs throughout this process. Pursuant to this process,
Mozilla will file CA incident bugs [2] in Bugzilla when audit statements
are past due. The CA should respond in such bugs providing their
Incident Report [3] explaining the situation with their audits,
precautions that have been taken and their plan to move forward in
reaching compliance again.
If it would be helpful, we could add a note in the Bugzilla whiteboard
to indicate when the delayed audit statements are caused by CAs and
auditors being unable to access facilities to perform the audits due to
circumstances beyond their control. For example, the whiteboard could be
something like: “[ca-compliance] Lockdown - Next Update <date>”. I will
greatly appreciate thoughtful and constructive feedback on this.
Thanks,
Kathleen
References:
[1] https://www.ccadb.org/cas/updates
[2] https://wiki.mozilla.org/CA/Incident_Dashboard
[3] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
