I am also personally surprised and confused by this announcement. I could imagine of course incident reports being handled with more leniency when the details reveal that the health emergency contributed to the issue. I thought that was the point of the no exceptions policy, to push the CAs to handle the situation as well as possible, and force a learning process out in the open.
With an opaque exception, the ecosystem is not learning anything about the circumstances that put the CAs in this situation, and about the challenges imposed by something that might be a long-term emergency, giving no opportunity or incentive to improve and avoid similar issues in the future. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
