Dear Matt, The way towards something like full disclosure is a difficult one to walk. I was working in the airline industry for a couple of years and experienced firsthand what it means to establish and nurture a "no blame" culture that truly motivates people to talk about mistakes, drifts towards unsafe behaviour and such. It's a long process and all participants need to want to support it.
I think that the current process of disclosing incidents publicly on Bugzilla does not help build a "full disclosure - no blame" culture. So CA's (and all the other participants in the ecosystem) will continue to try and limit the possible negative impact of what they have to disclose. >From my point of view, it makes no big difference if the word "significant" is >there or not. As long as the culture is "blame and shame", all participants >will think more than twice before posting a Bugzilla. Kind regards Roman -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Matt Palmer Sent: Mittwoch, 12. Juli 2023 08:03 To: [email protected] Subject: Re: MRSP 2.9: Issues #252 and #266 - Incident Reporting On Tue, Jul 11, 2023 at 09:04:06AM -0600, Ben Wilson wrote: > effect, " 'Reportable Security Incident' means any security event, > breach, or compromise that has the potential to significantly impact > the confidentiality, integrity, or availability of CA infrastructure, > CA I'd suggest removing the word "significantly", because that's entirely open to interpretation, and history has shown that CAs aren't shy about interpreting things in a manner most favourable to their interests. I don't see any real problem with requiring CAs to report *everything* with the potential to impact CIA of CA-related things, because even minor hiccups can become major, and they can also be a learning experience for everyone -- which is the same reason why most safety-critical industries require the reporting of near-misses, not just actual incidents. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZK5CExtS3j0cKC5t%40hezmatt.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ZRAP278MB05627473060C050F4B0EB20CFA36A%40ZRAP278MB0562.CHEP278.PROD.OUTLOOK.COM.
