However I do not agree that we should require CAs to use bugzilla instead of email to submit the original requests. Not everybody knows how to use bugzilla, and there's a little bit of overhead to get yourself a login before you can submit a bug report. I think it would be better to allow CAs to just send an email if they don't want to deal with bugzilla; the "module owner" for certs (i.e., the person getting the [EMAIL PROTECTED] emails) would then enter the bug report on behalf of the CA, and add the CA contact person to the CC list for the bug.
That wouldn't work unless the person had a Bugzilla account; in which case they could file a bug anyway.
They are asking a lot from us - the least they can do is take three minutes to get a Bugzilla account and then click on the "File CA Cert Bug" link in the policy.
Note that this is essentially the same policy we handle for reports of security vulnerabilities: you can enter a security-sensitive bug yourself, or just email your report to [EMAIL PROTECTED]
This is different. The person submitting such a report is doing us a favour, rather than the other way around.
(Reminder to myself: I need to ask the appropriate mozilla.org person to add a new component "CA certificates" to the "mozilla.org" product in bugzilla. This will make it easier to track requests and ensure that requests submitted via bugzilla will get to the right owner.)
Done. Initial description: "For Certificate Authorities to file requests asking for their certificates to be included in the default certificate store." Tell me if that's wrong.
I've made you "initial owner", although I expect that someone else will fill that role in due time.
Gerv _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
