On Wednesday, May 17, 2017 at 11:24:54 AM UTC, Gervase Markham wrote: > Well, such contacts are normally per CA rather than per root. I guess we > could add it on the CA's entry.
Tbh, I'm not really familiar with your salesforce setup, I was just using this as a stand-in for "place where CA can be made to keep it current". :-) > Well, I want to make sure that people who want to report e.g. a bad cert > found in the wild know where to go. This was triggered by an event where > Microsoft wanted to report something to GoDaddy (IIRC) but using the > wrong contact. So the intent was really: How can an external entity (= not the certificate owner or authorized party) report a security issue, abuse scenario or policy violation with regards to certificates you issued? Specifically, what contact email address or webpage can be used to ensure a timely and competent response? (plainly: how to reach "tech" or "compliance", not sales/marketing/customer-support/general/...) > > IMHO, a wiki page with manually copied info has a good chance to get > > stale as CAs change their documents, websites, primary domains, etc. > > It's true, but the other option is "dig in my CP/CPS". But there could be more "other options": dig yourself << community collected and maintained info < CA verified community info < info CAs are "forced" to maintain, policed by community So I guess my second choice - after getting CAs to unbundle this specific info from their pdfs and maintain it via the CCADB (or wherever else it makes sense) - would be to go ahead with the manually created wiki page and make them confirm it regularily via CA communications. Then there is still a degree of accountability for the correctness. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy