On Sunday, February 26, 2023 at 1:22:39 AM UTC-8 [email protected] wrote:
This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed. [Kathleen] I added https://bugzilla.mozilla.org/show_bug.cgi?id=1801345#c19 Ahmed, Please add status updates every week from now until this is fully resolved. Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mozilla establishes a clear protocol for handling security incidents and communicates this effectively to all participants. [Kathleen] Ben previously filed https://github.com/mozilla/pkipolicy/issues/252 -- Add Requirements for Reporting CA Security Incidents Ben will hold discussions about this here in MDSP as he works on MRSP v2.9. Also, I have filed https://github.com/mozilla/www.ccadb.org/issues/99 -- We should add a section to https://www.ccadb.org/cas/incident-report that sets expectations about when and how frequently a CA should provide an update about their incident until it is fully resolved. And I filed https://github.com/mozilla/pkipolicy/issues/266 -- Update MRSP section 2.4, "Incidents", to reference https://www.ccadb.org/cas/incident-report and indicate requirements about following that web page. (and set it for MRSP v2.9) I am also curious in how Mozilla will choose to interpret the facts that have been made available. The way in which this incident is handled will establish a precedent for future security incidents, and it is important that Mozilla approaches this with a clear and consistent stance. [Kathleen] Thanks Ryan. Cheers, Kathleen -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ff8b9a97-7088-4465-9104-eaf665d38147n%40mozilla.org.
