On Wed, 1 Sep 2021 14:21:47 -0700 (PDT) Brett L <[email protected]> wrote:
> Hi Andrew, > > Thank you for the questions and checking on details. > > We removed the option to use the DNS operator exception from our > secondary CA platform on 2021-05-13 (60 days before the ballot > changes went into effect, see timeline below). Our primary CA > platform has never used it. > > In May, we conducted our annual CPS review and prepared several > updates including the one that removed the exception from Section > 4.2.4. It was not published earlier because the update was bundled > together with other changes in one revision. > > We did not file an incident because removal of the DNS operator > exception was identified and acted upon well ahead of the deadline. > The CPS update was also started before SC46 became effective. We > regret it was not published prior to the effective date. The inaccurate CPS is a compliance violation, even if the DNS operator exception was not in use. This is the same basic scenario as <https://bugzilla.mozilla.org/show_bug.cgi?id=1706967> - in that case, GTS' domain validation practices were compliant with the BRs, but GTS' CPS did not accurately reflect GTS' practices. It's troubling to see a recurrence of that scenario, and your email doesn't provide much of an explanation how this happened. 1. Why was the CPS change not published in May given that <https://bugzilla.mozilla.org/show_bug.cgi?id=1706967> made clear the importance of having an accurate CPS? 2. When SC46 was merged into the BRs, did the automation described in <https://bugzilla.mozilla.org/show_bug.cgi?id=1706967#c11> create an internal ticket for it? If not, why not? If it did, how did GTS respond to the ticket and why did the response not detect the CPS non-conformance? Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20210902110723.13ce6c7f12381948289e833e%40andrewayer.name.
