A few years ago, Sectigo created https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share information about our "Guard Rails" project. Quoting that bug: “Guard Rails” is a convenient name for a series of programmatic checks we are putting in place to confirm certificate orders for compliance with specific requirements before issuance can occur. Guard Rails are like Certificate Lints, except that they may be stricter than what CA/B Forum and root program policies require. By defining and adding these checks, we can eliminate potential sources of misissuance and achieve higher overall issuance quality. This initiative is borne in part from the understanding that human-based processes are fundamentally error prone, and to the degree we can implement defined machine processes, our error rate will go down.
We took steps<https://bugzilla.mozilla.org/show_bug.cgi?id=1724476#c1> (comment #1) to avoid this bug being seen as an "incident" bug: Since this bug is intended to be a repository for information and discussion rather than a response to any particular CA Compliance incident, I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not putting [ca-compliance] in the Whiteboard field. We chose to deviate from the "<CA Name>: <Incident Summary>" bug title format for the same reason. However, at some point since then somebody decided to add the "[ca-compliance]" whiteboard tag, which seems problematic to us. In order to clearly identify this type of information sharing "bug", and even to encourage other CAs to consider doing likewise, we would like to propose a new whiteboard tag: [ca-infosharing] -- Rob Stradling Distinguished Engineer Sectigo Limited -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/MW4PR17MB4729E53C500ECA288F150B81AAEB2%40MW4PR17MB4729.namprd17.prod.outlook.com.
