Hi Ryan, On Tue, 19 May 2020 at 00:47, Ryan Sleevi <[email protected]> wrote: > > Hi Matthias, > > We're aware of this. Could you explain what issue or issues this > presents to you?
One of the reasons I did this research was to check the track record of CAs with regards to compliance and solving compliance issues. As you might expect, this is quite difficult when the issues are not updated regularly. The distinction closed / open is, (although skewed) a decent indication for a CAs compliance track record and their readiness to improve, especially when tracking open issues over time. When the issue state is not linked to the actual solving of the compliance issue, the skewed indication becomes even worse. > Understanding that different projects can and do use different > workflows to address their needs, it's not immediately clear to me > what impact, if any, this might have for you, and it's unclear why the > distinction between an open bug and a closed bug should be something > you're concerned about. The MRSP section 2.4 asks the CA to promptly provide an incident report, and regularly update this report until it is closed. My opinion is that in this section Mozilla also has an implicit duty to the CA - to mark issues as resolved when Mozilla and the CA agree that the compliance issue has been resolved. Concerns start to appear when both the CA and Mozilla do not adhere to the policy that they agreed to, be it explicit (the CA) or implicit (Mozilla), as all I see is a slippery slope. Although I know there is no clear timeframe asked for in the MRSP, I do want to ask the related parties to at least improve upon the current 4w+ timescale, and/or add realistic next update dates to their compliance issues. > Understanding what problem(s) you're trying to solve seems more > productive/useful way to get them addressed. What difference does the > distinction make for you? I expect that an open issue is open-ended, has missing information or has incomplete tasks and thus tells an incomplete story, and that a closed issue provides an understanding of what the compliance issue was, and how it was solved. When this open/closed distinction becomes less clear due to the not closing of issues, it takes longer to provide an indication that the issue has been solved, and any lessons learned take longer to propagate to other interested parties (as I see it). Currently, I cannot see the forest for the trees due to so many issues waiting to be closed, or having their next-update-by -windows long passed, or just plain lack of communication about what is going on. This makes it even more difficult to make informed decisions about those CAs based on compliance track record. With regards, Matthias _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
