The recent auditor discussions on this list have highlighted the fact that we haven't done a good job of tracking auditor concerns. Easily searchable records of past CA issues in Bugzilla help us to identify patterns of CA behavior, and we should have the same for auditors. with that in mind, I have two announcements:
* Rename Bugzilla Component CA issues have been filed under the NSS component "CA Certificate Mis-issuance" in Bugzilla. "Mis-issuance" was inaccurate since the category is used for all types of CA issues - audits, OCSP responders, etc. We also want to use this component for auditor compliance issues, so we have just renamed it to "CA Certificate Compliance". Please be aware of this change when creating new, or searching for existing CA compliance bugs. * Create Auditor Compliance Dashboard: https://wiki.mozilla.org/CA/Auditor_Compliance I've created a new page on our wiki that describes how to create an auditor compliance bug and that will summarize existing bugs. It also lists the one auditor location that Mozilla has disqualified. Please let me know if you find errors or omissions on this page. I am planning to begin creating auditor compliance bugs when issues are discovered that should have been found and reported by auditors. I may also go back and create some bugs to document past issues. Please be aware that these bugs are for tracking purposes and the simple act of creating one should not be interpreted as an attack aimed at discrediting or disqualifying any auditor. It is being done in the spirit of transparency with the intent of working collaboratively with auditors to improve the quality and consistency of the audit information received by Mozilla. - Wayne _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
