Hi Ryan, On 10/04/17 16:38, Ryan Sleevi wrote: > 1) You're arguing that "the issuance of this cert didn't impose risk on > anyone but this specific customer" > a) What factors lead you to that decision?
Can you lay out for us a scenario where this issuance might impose risk on someone else? > 2) You've noted that you did not disclose it due to "contractual > obligations to protect the customer's privacy", which "remains in force". > a) If a contractual obligation is in conflict with the Baseline > Requirements, do you have a process defined to resolve that conflict? If > so, please fully describe it. Do you think this particular contractual obligation to privacy _is_ in conflict with the BRs? If so, which section? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy