On Tue, Jul 11, 2023 at 09:04:06AM -0600, Ben Wilson wrote: > effect, " 'Reportable Security Incident' means any security event, breach, > or compromise that has the potential to significantly impact the > confidentiality, integrity, or availability of CA infrastructure, CA
I'd suggest removing the word "significantly", because that's entirely open to interpretation, and history has shown that CAs aren't shy about interpreting things in a manner most favourable to their interests. I don't see any real problem with requiring CAs to report *everything* with the potential to impact CIA of CA-related things, because even minor hiccups can become major, and they can also be a learning experience for everyone -- which is the same reason why most safety-critical industries require the reporting of near-misses, not just actual incidents. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZK5CExtS3j0cKC5t%40hezmatt.org.
