Ryan, all, We’ve added feedback to the GitHub Pull Request for anything addressing the proposed language.
Besides that, we wanted to provide feedback to the recommendations the CCADB Steering Committee is considering. >To better encourage blamelessness, when posting incident reports or responding >to comments on incident reports for which they are affiliated, participants >are encouraged to respond from a Bugzilla account associated with one of the >CA e-mail aliases disclosed to the CCADB, rather than an individual >contributor’s account. Some CAs already do this, and we’d like this to become >a standard practice. >To better respect a desire for individual privacy and potential risk of >retaliation, individuals participating in the incident reporting process >should feel welcome to participate responsibly from an account that does not >identify the individual posting or their organizational affiliation. We certainly see and agree that both the items above are practices that should be allowed, for a multitude of reasons. However, we would also like to raise that there are members and participants who prefer using their direct names and accounts. In some cases we believe seeing who posts can make a difference in context and on how a comment can be interpreted. With that in mind, we would like to see the quoted to-be-considered recommendations moved to a “clear allowance” state. If the CCADB Steering Committee feels strongly about making this a recommendation, we would request adding (and keeping) an allowance for deviating from such behavior as well. Regards, Martijn Katerbarg Sectigo From: 'Ryan Dickson' via CCADB Public <[email protected]> Date: Thursday, 12 December 2024 at 22:16 To: public <[email protected]> Subject: Re: Further Improving the CCADB Incident Reporting Guidelines (FEEDBACK REQUESTED) Hi everyone, Thanks to some early feedback from members of the community, we’ve made a few updates to the proposal made in the original Pull Request. The updated proposal is available here. We’ve closed the original Pull Request, but will allow Hi everyone, Thanks to some early feedback from members of the community, we’ve made a few updates to the proposal made in the original<https://urldefense.com/v3/__https:/github.com/mozilla/www.ccadb.org/pull/186__;!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0ZJMWOz6w$> Pull Request. The updated proposal is available here<https://urldefense.com/v3/__https:/github.com/mozilla/www.ccadb.org/pull/187__;!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0YKJvLKAg$>. We’ve closed the original Pull Request, but will allow it to persist to help describe changes between versions and retain community feedback. Again, these changes should not be considered “final”, but instead a “work in-progress” that we hope to enhance through continued community contributions. We welcome your feedback on these proposed updates and recommendations by January 15, 2025. Please share your thoughts by replying to this email or, preferably, by suggesting edits directly on GitHub. Thanks, Ryan (on behalf of the CCADB Steering Committee) On Thu, Nov 14, 2024 at 4:21 PM Ryan Dickson <[email protected]<mailto:[email protected]>> wrote: Hi everyone, In October 2023<https://urldefense.com/v3/__https:/groups.google.com/a/ccadb.org/g/public/c/jYNpX4rGLvk/m/dJ_OcBiuAAAJ?utm_medium=email&utm_source=footer__;!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0ZwoXM9VA$>, the CCADB Steering Committee, with valuable feedback from this community, updated the CCADB Incident Reporting Guidelines<https://urldefense.com/v3/__https:/www.ccadb.org/cas/incident-report__;!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0YbSHgEpQ$> (IRGs). While the resulting updates have led to some reports becoming more useful and effective, Root Store Operators have continued to stress the importance of high-quality incident reports during CA/Browser Forum Face-to-Face updates and elsewhere. In the spirit of continuous improvement, the CCADB Steering Committee has worked over the past few months to further enhance the effectiveness of the IRGs. Objectives for this update to the IRGs include: * Clarifying Root Store Operator expectations * Aligning report format and content with those expectations * Improving clarity regarding the difference between “preliminary" and “full" reports, and the timelines for disclosing these reports * Improving Root Cause Analysis * Tracking commitments made by CA Owners in response to incidents * Increasing accountability and generating more actionable insights * Improving consistency in report quality * Emphasizing continuous improvement and lessons learned * Encouraging familiarity with historical incident reports * Defining a standard process for closing reports * Aligning the incident reporting format with Steering Committee objectives planned for 2025+ The set of proposed updates are available here<https://urldefense.com/v3/__https:/github.com/mozilla/www.ccadb.org/pull/186__;!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0ZJMWOz6w$>. Beyond the above changes, we are considering making the following recommendations: * To better encourage blamelessness, when posting incident reports or responding to comments on incident reports for which they are affiliated, participants are encouraged to respond from a Bugzilla account associated with one of the CA e-mail aliases disclosed to the CCADB, rather than an individual contributor’s account. Some CAs already do this, and we’d like this to become a standard practice. * To better respect a desire for individual privacy and potential risk of retaliation, individuals participating in the incident reporting process should feel welcome to participate responsibly from an account that does not identify the individual posting or their organizational affiliation. These proposals should not be considered “final”, but instead a “work in-progress” that we hope to enhance through community contributions. We welcome your feedback on these proposed updates and recommendations by January 15, 2025. Please share your thoughts by replying to this email or, preferably, by suggesting edits directly on GitHub. Thanks, Ryan (on behalf of the CCADB Steering Committee) -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O8hJvwpZZkCJweoFfDqy%2B0k50-iV76D3qXnWFJv0PWi_w%40mail.gmail.com<https://urldefense.com/v3/__https:/groups.google.com/a/ccadb.org/d/msgid/public/CADEW5O8hJvwpZZkCJweoFfDqy*2B0k50-iV76D3qXnWFJv0PWi_w*40mail.gmail.com?utm_medium=email&utm_source=footer__;JSU!!J5K_pWsD!1khFuVobkXFBt8Hz7m6TrZt5YaJ717PuqWJATDrBeslFYRIJ48nr6Rb6rcs0letIqU2kjuYqTPSYk0YeQO91iw$>. -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/SA1PR17MB6503876E59709A10E5519618E3022%40SA1PR17MB6503.namprd17.prod.outlook.com.
