On Sunday, June 23, 2024 at 3:39:35 PM UTC-4 Zacharias Björngren wrote: Missing the point > As a global CA we must walk a tightrope in balancing the requirements of the root programs and subscriber needs, especially for critical infrastructure.
This is a very worrying sentence. It seems that both Entrust and many of their subscribers (even more worryingly subscribers responsible for critical infrastructure) completely misunderstand what the purpose of the requirements of the root programs are. These rules, requirements, guidelines, policies, &c are here to keep us safe. And I don't mean us as in relying parties, I mean us as in everyone. That there is a need to balance these requirements against the needs of Entrust subscribers makes me worry about what those subscribers are doing. Why are so many organizations running critical infrastructure not prioritizing following safety regulation? We serve many of the world’s largest banks, governments, and enterprises and are confident that they do prioritize safety and compliance requirements from a wide variety of regulatory bodies. We are working with them to ensure they are clear on WebPKI compliance requirements moving forward. If there are use cases in which a privately-rooted environment would be more suitable, we will have those discussions. Refusal to learn, bug 1890898 It's important to seize the opportunity to learn from your incidents. Why is Entrust so stubbornly clinging to their analysis in #1890898 that the certificates weren't miss-issued? That is not the case. Please see https://bugzilla.mozilla.org/show_bug.cgi?id=1890898#c61 where this has been addressed. I don't understand this explanation, are senior leadership the ones making the decision to delay revocation or not revoke? With the process changes described in our updated response, these decisions are now made through a cross-functional compliance review process with senior leadership. This will provide more proactive oversight. But those decisions are communicated to the community via Bugzilla, and is that not done through the business unit employees that have knowledge of the 2020 commitments? It's the same person posting: "We will not the make the decision not to revoke." in 1651481, that this year posted: "we decided to not revoke due to exceptional conditions listed in this report." in 1890898. Yes, the business unit employees who made the posts knew of our 2020 commitments. They have been moved into our corporate compliance organization for increased communication and governance. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/af8ebd8d-a379-4244-bb64-fc3d3696e0e6n%40mozilla.org.
