Hi Steve, Some quick follow-ups:
1) You're arguing that "the issuance of this cert didn't impose risk on anyone but this specific customer" a) What factors lead you to that decision? b) What process does Symantec have in place to make such determination? c) Does such process continue to exist? d) If Symantec is incorrect in its determination, for this incident, past, or future incidents, what do you believe should be an appropriate response? 2) You've noted that you did not disclose it due to "contractual obligations to protect the customer's privacy", which "remains in force". a) If a contractual obligation is in conflict with the Baseline Requirements, do you have a process defined to resolve that conflict? If so, please fully describe it. b) If a contractual obligation is in conflict with other Root Program requirements, do you have a process defined to resolve that conflict? If so, please fully describe it? c) Please share the details of that contract, as well as any other such contracts that may exist, to the extent of such privacy requirements. If you're unable to do so, please fully describe why? d) Specifically, how many such contracts exist? e) Does Symantec have a procedure in place for when no such contracts exist (e.g. in the case of Example D, where Symantec failed to disclose to affected parties, citing "confidentiality", where no such contract existed?) f) What steps has Symantec taken, if any, to eliminate such clauses, in order to ensure that appropriate transparency for the ecosystem supersedes that of customer obligations, particularly when faced with situations like 1.d? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
