Added to the list here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Accountability
And, yes, I am fully aware that a policy update is way overdue. :-(
Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
I agree with Jakob. This is similar to case laws vs statutory law. Even though
we can get the same understandings from various cases, I believe in this
situation, it will be clearer to codify such requirements clearly.
On Monday, September 12, 2016 at 10:38:48 AM UTC-7, Jakob Bohm wrote:
> On
On 10/09/2016 14:39, Gervase Markham wrote:
On 09/09/16 11:59, Jakob Bohm wrote:
Since a major root compromise is generally considered the worst
possible security event for a trusted CA, this wording could easily be
(mis?)understood not to require reporting of lesser security failures,
such as
On 09/09/16 11:59, Jakob Bohm wrote:
> Since a major root compromise is generally considered the worst
> possible security event for a trusted CA, this wording could easily be
> (mis?)understood not to require reporting of lesser security failures,
> such as issuing millions (or just hundreds) of
Jakob Bohm writes:
>Am I reading something wrong, or is their an unintended loophole in the
>Mozilla Policy, as written, in this regard?
A cynic would say that that's the exact intent of the policy, to ensure that
anything but a catastrophe-scale event that's so big that
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/enforcement/
Only lists the following rule requiring disclosure of CA security
issues:
1. When a serious security concern is noticed, such as a major root
compromise, it should be treated as a
6 matches
Mail list logo