Yes, sorry for this. As I admitted that this discussion gives us a big lesson that we know when we need to report incident to all browsers. We guarantee we will do it better.
Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Friday, August 26, 2016 8:16 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > I'm after the specifics of the changes to WoSign's policies and > procedures regarding *notification*, not quality control. What were > WoSign's previous policies and procedures regarding notification > (obviously there was something in place, since Google was notified), > and what changes have been made to improve those policies to ensure > that all root programs are notified in line with each program's requirements > in the future? Clarification: In none of these incidents was Google notified proactively by WoSign. Instead, Google received communication from internal or external researchers regarding these issues, either prior to resolution or much later after the fact, and subsequently contacted WoSign regarding them. It was only when Google found out recently that other programs were NOT notified, proactively, as had been expected, that Google shared the details it was aware of regarding various CA incidents, including those of WoSign, mentioned in this thread. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
