Fair enough. This is absolutely the sort of stuff that needs to be part of regular auditing. I was wondering what sort of checking or enforcement you had in mind by including it in the Mozilla policy now? Perhaps you just want the CA's to be reminded that cybersecurity issues are important despite the CABF docs on the matter being too weak? I have no qualms using "for example". I would like for more to be mentioned than just software updates but even there I don't feel too strongly about it.
On 24/05/17 15:31, Peter Kurrasch wrote:
> It might be fair to characterize my position as "vague but > comprehensive"...if that's even possible? There are some standard-ish > frameworks that could be adopted: I think we would prefer to wait for the CAB Forum to adopt something rather than attempting to define and enforce our own. If for no other reason than the CAB Forum thing is more likely to be audited and therefore to have actual teeth. > If you'd like to keep the policy to a sentence or so, perhaps we could > use some "including but not limited to" verbiage? Well, the draft wording we started with used "for example"... :-) Gerv |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy