We know how to do in the future, and believe me we will do this better.
Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, August 26, 2016 10:03 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote: > On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > > I'm after the specifics of the changes to WoSign's policies and > > procedures regarding *notification*, not quality control. What were > > WoSign's previous policies and procedures regarding notification > > (obviously there was something in place, since Google was notified), > > and what changes have been made to improve those policies to ensure > > that all root programs are notified in line with each program's > > requirements in the future? > > Clarification: In none of these incidents was Google notified > proactively by WoSign. Instead, Google received communication from > internal or external researchers regarding these issues, either prior > to resolution or much later after the fact, and subsequently contacted > WoSign regarding them. Oh, wow. I totally misread the initial report. That's almost certainly much *worse*, then, because it's not simply a matter of some adjustments to an existing process to improve it, but likely the development and deployment of an entirely new process. - Matt -- The main advantages of Haynes and Chilton manuals are that they cost $15, where the factory manuals cost $100 and up, and that they will tell you how to use two hammers, a block of wood, and a meerkat to replace "special tool no. 2-112-A" -- Matt Roberds in asr. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy