Frank Hecker wrote:However I do not agree that we should require CAs to use bugzilla instead of email to submit the original requests. Not everybody knows how to use bugzilla, and there's a little bit of overhead to get yourself a login before you can submit a bug report. I think it would be better to allow CAs to just send an email if they don't want to deal with bugzilla; the "module owner" for certs (i.e., the person getting the [EMAIL PROTECTED] emails) would then enter the bug report on behalf of the CA, and add the CA contact person to the CC list for the bug.
That wouldn't work unless the person had a Bugzilla account; in which case they could file a bug anyway.
Hmmm, I thought one could add arbitrary email addresses to the CC list, but I guess not -- I just tested this.
They are asking a lot from us - the least they can do is take three minutes to get a Bugzilla account and then click on the "File CA Cert Bug" link in the policy.
Note that this is essentially the same policy we handle for reports of security vulnerabilities: you can enter a security-sensitive bug yourself, or just email your report to [EMAIL PROTECTED]
This is different. The person submitting such a report is doing us a favour, rather than the other way around.
OK, I understand and concede your point. However since the [EMAIL PROTECTED] address already exists and is known, I don't think it would be a good idea to discontinue it entirely.
I think what I might do is to write the policy so that entering a bug report is the preferred way to submit a request, and then either include [EMAIL PROTECTED] as a deprecated method or just not mention it at all.
(Reminder to myself: I need to ask the appropriate mozilla.org person to add a new component "CA certificates" to the "mozilla.org" product in bugzilla. This will make it easier to track requests and ensure that requests submitted via bugzilla will get to the right owner.)
Done. Initial description: "For Certificate Authorities to file requests asking for their certificates to be included in the default certificate store." Tell me if that's wrong.
No, that sounds good. Thanks for adding this; I have only one nit to pick, see below.
I've made you "initial owner", although I expect that someone else will fill that role in due time.
Could you change the initial owner to be "[EMAIL PROTECTED]", not "[EMAIL PROTECTED]"? Since I'm no longer a full mozilla.org staff member (but just an associate member) I've discontinued using my mozilla.org address and bugzilla account in favor of my personal address and account. Thanks in advance.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
