I agree that requests should be entered into bugzilla and tracked that way. I also believe that we should allow CAs to enter requests directly into bugzilla (as opposed to sending an email message), and I am revising the policy to state that explicitly.
However I do not agree that we should require CAs to use bugzilla instead of email to submit the original requests. Not everybody knows how to use bugzilla, and there's a little bit of overhead to get yourself a login before you can submit a bug report. I think it would be better to allow CAs to just send an email if they don't want to deal with bugzilla; the "module owner" for certs (i.e., the person getting the [EMAIL PROTECTED] emails) would then enter the bug report on behalf of the CA, and add the CA contact person to the CC list for the bug.
I agree, except ...
The primary reason for the CA champion to register with bugzilla and file his/her own bug is to receive email notices when the bug is updated. If s/he lets someone else enter the bug, then s/he will not be notified quickly when comments/questions are added to the bug.
So, while I agree that we don't necessarily want to REQUIRE the CA champion to register, I think we must disclose that if they do not there is a much greater chance that they will miss out on timely notifications to which responses may be helpful to their cause.
Note that this is essentially the same policy we handle for reports of security vulnerabilities: you can enter a security-sensitive bug yourself, or just email your report to [EMAIL PROTECTED]
Yes, but most folks who report such bugs don't really stick around to wait for the outcome. CA champions are in a different position in that respect.
(Reminder to myself: I need to ask the appropriate mozilla.org person to add a new component "CA certificates" to the "mozilla.org" product in bugzilla. This will make it easier to track requests and ensure that requests submitted via bugzilla will get to the right owner.)
Please do. It may also help avoid insults to the NSS module owner, like the ones that happened today.
-- Nelson B
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
