On Fri, Oct 23, 2020 at 8:55 AM Matthias van de Meent via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> The current MRSP do not bind the requirements on the reporting of > incidents to the CA that the incident was filed on, but generally to > CAs. > > Section 2.4 has the general requirement for a CA to report any > incident (which is a failure to comply with the MRSP by any CA). So, > if a CA is aware of an incident with another CA which is included in > the Mozilla root store, that must be reported, and I agree with that. > This sounds like an overly broad reading of Mozilla Policy, and it's not clear to me how you reached it. Could you walk me through the language and help me understand how you reached that conclusion? It would seem like you might be reaching that conclusion from "When a CA" and "CAs", is that right? > But, the requirements also extend to having to regularly update these > incidents, and report these incidents in their audit letter, even if > they are not related to that CA. > As mentioned above, this seems like an overly broad reading, and I'm wondering if that's the source of confusion here. Understandably, it would make no logical sense to expect a third-party reporter to provide updates for a CA incident, whether that third-party is an individual or another CA. By the logic being applied here, the ultimate sentence in that same paragraph would imply that, from the moment a CA incident is filed, all CAs in Mozilla's Root Program must stop issuance until the affected CA has resolved the issue, which certainly makes no logical or syntactical sense, or, similarly, that Section 4.2 of the policy obligates CAs to respond on behalf of other CAs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy