Kathleen and I edited the proposed language ( https://github.com/BenWilson-Mozilla/pkipolicy/commit/a69aa03fb92d1b0c3f74fd560dffefdeed934b45) to now read:
"The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: ... 11. all incidents (as defined in section 2.4) disclosed by the CA, discovered by the auditor, or reported by a third party, that, at any time during the audit period, occurred or were open in Bugzilla;" Additional guidance will be provided here: https://wiki.mozilla.org/CA/Audit_Statements and/or here: https://wiki.mozilla.org/CA/Responding_To_An_Incident <https://github.com/BenWilson-Mozilla/pkipolicy/commit/a69aa03fb92d1b0c3f74fd560dffefdeed934b45> On Mon, Feb 15, 2021 at 11:47 AM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Friday, February 12, 2021 at 10:27:11 AM UTC-6, Ben Wilson wrote: > > I'm fine with that suggestion. > > On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < > > dev-secur...@lists.mozilla.org> wrote: > > > > > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > > > 11. all incidents (as defined in section 2.4), including those > reported > > > in > > > > Bugzilla, that were: > > > > * disclosed by the CA or discovered by the auditor, and > > > > * unresolved at any time during the audit period; > > > > > > > > The idea is that all "incidents" must be reported if they were > > > "unresolved" > > > > - which would include those that occurred or were open - at any time > > > during > > > > the audit period. > > > > > > > > > > Wouldn't it be clearer to non-native English speakers to avoid the > nuance > > > associated with "unresolved at any time" needing to imply both those > that > > > occurred or those that were still open? > > > > > > Why not amend the language to just say: > > > > > > 11. all incidents (as defined in section 2.4), including those > reported in > > > Bugzilla, that: > > > * were disclosed by the CA or discovered by the auditor, and > > > * occurred or were open at any time during the audit period; > > > _______________________________________________ > > > dev-security-policy mailing list > > > dev-secur...@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > This wording works from a WebTrust perspective as well. Thanks! > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy