Greetings: Today, I received a marketing email from one of the CAs in Mozilla's program (Sectigo). As far as I know, the only interactions I've ever had with this CA where they would have gotten my name and email address would be from me submitting problem reports to them (for compromised private keys). Therefore, I can only assume that they mined their problem report submissions in order to generate their marketing contact lists.
This leads to two questions: 1.) Is anyone aware of any policies that speak to this practice? I'm not aware of anything in the BRs or Mozilla policy that speak to this, but there are many other standards, documents, audit regimes, etc., which are incorporated by reference that I am not familiar with, and so it's possible one of them has something to say on this issue. 2.) While I felt like this practice (if it happened the way I assumed) is inappropriate, is there a consensus from others that that is the case? If so, is there any interest in adding requirements to Mozilla's Policy about handling of information from problem reports received by CAs? I do recall a discussion a while back on this list where a reporter had their information forwarded on to the certificate owner and got unpleasant emails in response and was asking whether the CAs were obligated to protect the identity of the reporters, but I don't recall any conclusions being reached. Good Day, Benjamin _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
