All, We are proposing to revise Mozilla Root Store Policy (MRSP) Section 2.4 (Incidents) to address GitHub Issue # 252 <https://github.com/mozilla/pkipolicy/issues/252> and Issue # 266 <https://github.com/mozilla/pkipolicy/issues/266>.
*Issue #252 <https://github.com/mozilla/pkipolicy/issues/252> - Requirements for Reporting CA Security Incidents* As noted in Issue #252, more guidance is needed for reporting security incidents to Mozilla. I am drafting a wiki page that will outline what is a reportable security incident and what a security incident report should contain. Thus, MRSP section 2.4 will be amended to read something to the effect, " 'Reportable Security Incident' means any security event, breach, or compromise that has the potential to significantly impact the confidentiality, integrity, or availability of CA infrastructure, CA systems, or the trustworthiness of issued certificates. A Reportable Security Incident MUST be reported with a security incident report in Bugzilla [link to Bugzilla security incident report template] as soon as possible and no later than __ hours, as described in [wiki page]. Additionally, other important security incidents and compromises of a CA operator's internal systems SHOULD be reported." *Issue #266 <https://github.com/mozilla/pkipolicy/issues/266> – Update reference to https://www.ccadb.org/cas/incident-report <https://www.ccadb.org/cas/incident-report>* Also, Issue #266 will be addressed by pointing to the CCADB's incident report requirements. The following language in MRSP section 2.4 will be amended to read, "CA Operators must report incidents to Mozilla in the form of an Incident Report that follows guidance provided on the CCADB website - https://www.ccadb.org/cas/incident-report." I look forward to your comments and suggestions regarding security incident reporting. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYDSSBvzsU7HJhoDk-tFbrt4rJP3Vyep8MPvCY%3DA447vg%40mail.gmail.com.