On Wed, Oct 10, 2018 at 4:58 PM Grabowski Piotr
wrote:
> Hello Ryan,
>
>
> In the design of this template, one of the concerns was about
> understanding *how* a problem happened, not just how a CA responded. This
> is why it includes text such as "This may include events before the
> incident was
On Wed, Oct 10, 2018 at 4:33 PM Grabowski Piotr via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Hello Wayne,
>
> - Is the new dual control process documented in a manner that will be
> auditable by your external auditors?
>
> Yes, the new dual control process is already
Any update behind the scenes about this issue? I've noticed that the soft limit
to fill an Incident Report expired more than a week ago, and I'm starting to be
a bit worried that some of the evidence in the CT logs might disappear if the
investigation is not completed before December 6th, the ea
Hello Ryan,
In the design of this template, one of the concerns was about understanding
*how* a problem happened, not just how a CA responded. This is why it includes
text such as "This may include events before the incident was reported, such as
when a particular requirement became applicable
Hello Wayne,
- Is the new dual control process documented in a manner that will be auditable
by your external auditors?
Yes, the new dual control process is already included in the document called
instruction of the security of system Szafir (internal name of the PKI system)
and it is
The responses to our latest survey are posted on the wiki [1].
I would like to thank all the CAs that responded promptly to the survey. We
have now received responses from all but two CAs:
- Visa - as of Firefox 64 [2], Visa will no longer be a program member.
- Certicamara - I have emailed and wi
Please find our incident report below.
1. How your CA first became aware of the problem (e.g. via a problem
report submitted to your Problem Reporting Mechanism, a discussion in
mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit),
and the time and date.
From Bugzilla bug 149
On 09/10/2018 23:15, Wayne Thayer wrote:
On Tue, Oct 9, 2018 at 12:48 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Oh, so rather than trying to define what "No Stipulation" means and when
it can be used, we could take a different approach -- list th
On 09/10/2018 23:53, Wayne Thayer wrote:
> - DigiCert
>
> Looks like DigiCert disclosed these within a few hours of your email.
Yes, but I hope that DigiCert will provide an incident report so that we
can understand why DigiCert's "processes in place to ensure that these
requirements a
9 matches
Mail list logo