Hi everyone, Wow, traffic on this group has exploded :-) Thank you to everyone who has been bringing incidents to our attention.
Clearly, many of these items need official responses and action from representatives of the Mozilla root program. I have been on holiday quite a lot recently, and that includes this week, and any time I have had has been fighting fires relating to my other responsibilities and requirements placed on me. But please rest assured, all this has not been forgotten. In the mean time, I would hope CAs would be picking up incidents relating to themselves, doing investigations and publishing best-practice-style incident reports here once those investigations were concluded. I probably need to write a wiki page on this, but in brief best practice involves much more than "we revoked the certificates concerned", it needs to say "this is how this happened", and "this is what we've done/are doing to make sure it won't happen again". Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy