On Friday, July 21, 2017 at 12:07:02 PM UTC-7, Alex Gaynor wrote: > On Thu, Jul 20, 2017 at 11:00 AM, Steve Medin wrote: > > > 1) *December 1, 2017 is the earliest credible date that any RFP > > respondent can provide the Managed CA solution proposed by Google, assuming > > a start date of August 1, 2017. Only one RFP respondent initially proposed > > a schedule targeting August 8, 2017 (assuming a start date of June 12, > > 2017). We did not deem this proposal to be credible, however, based on the > > lack of specificity around our RFP evaluation criteria, as compared to all > > other RFP responses which provided detailed responses to all aspects of the > > RFP, and we have received no subsequent information from this bidder to > > increase our confidence.* > > > > > Hi Steve, > > Given that this represents nearly a 4 month difference in timelines, can > you give us any more insight here as why you see such a large delta? > > Alex
We have evaluated the rigor of the proposals with regard to integration between Symantec and the Managed CA(s) for all certificate lifecycle functions for retail, partner, and Enterprise RA models, supporting enrollment, all methods of domain verification, organization and extended validation vetting, re-authentication, replacement, renewal, cancelation, modification, revocation, CAA checking, CT logging, and CRL and OCSP response provisioning; the models for cross-team engagement and release planning; identification of any gaps and the plans to address; and the plans for end-to-end testing. The most aggressive of the RFP responses was the sole outlier in terms of timing (2 months to implementation) and offered the least amount of information in response to the RFP. There were other attributes relating to this bidder’s proposal beyond its lack of content in addressing RFP evaluation criteria that reinforced our conclusion that the bid was not realistic. The difference between the most aggressive timing proposal when compared with the other RFP respondent plans was only about two months. All other RFP responses independently offered project plan timelines that spanned approximately 4-6 months. Symantec’s internal planning concluded that a 4 month timeline was aggressive but achievable. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy