All, I have looked at the list of open bugs in the CA compliance dashboard [0], and I was unpleasantly suprised. There's a total of 75 open issues at the moment of writing, of which 31 have not seen an update in 4 weeks, and of which again 23 [1] are not waiting for a planned future CA or Mozilla action; 30% of the open issues, spread over 14 CAs. (These 23 include issues that end with actions like "A: We will do this" and "B: We will do that at 'date-long-gone'" when there is no indication the action has been taken, and no update since.)
Of those 23, 17 have not seen interactions for over 2 months. (!) The MRSP (v2.7) requires regular updates for incident reports until the bug is marked as resolved. This means that a CA MUST actively keep track of the issue, even though this is not always understood by CAs [2]. I can understand that it is not always clear what information is still needed to close a bug, but please ask for this information on the issue when this is not known, so that there are no 'zombie' tickets. To remedy the issue of 'many long-standing open CA-Compliance issues with unclear state', I would like - as a concerned individual and end user of the root store - to ask the relevant CAs and Mozilla to check their issues in the ca-compliance board [0], check whether the issues are 'solved' or what information they need, and update the relevant issues with the updated information or ask for said missing information, so that there is a clear understanding which issues are resolved and which issues need more information / actions by some party in the issue. As stated before, this process is not always clear to all CAs [2], and in my experience explicit communication helps a lot in checking what is needed to solve an issue. Kind regards, Matthias van de Meent [0] https://bugzilla.mozilla.org/buglist.cgi?product=NSS&component=CA%20Certificate%20Compliance&bug_status=__open__ [1] https://bugzilla.mozilla.org/buglist.cgi?product=NSS&component=CA%20Certificate%20Compliance&bug_id=1593776%2C1605804%2C1623356%2C1550645%2C1625767%2C1502957%2C1620561%2C1575022%2C1590810%2C1578505%2C1463975%2C1496616%2C1614448%2C1559765%2C1606380%2C1532559%2C1599916%2C1551372%2C1610767%2C1575530%2C1597950%2C1597947%2C1597948&bug_id_type=anyexact&list_id=15253621&query_format=advanced [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1613409 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy