On 18/08/17 04:37, Gervase Markham wrote: > I've started a wiki page giving Mozilla expectations and best practices > for CAs responding to a misissuance report. (No idea why I decided to > write that now...) > > https://wiki.mozilla.org/CA/Responding_To_A_Misissuance
I have now removed the Draft designation from this document. Researchers who find CA misissuances are welcome to include a link to this page in their report to the CA, reminding the CA that Mozilla has the documented expectations. To be clear on the status of this document: this is a best practices document, not an official policy, and does not use normative language. Therefore, failure to follow one or more of the recommendations here is not by itself sanctionable. However, failure to do so without good reason may affect Mozilla's general opinion of the CA. Our confidence in a CA is in part affected by the number and severity of incidents, but it is also significantly affected by the speed and quality of incident response. Researchers may also be interested, if they have not already noticed, that there is a ballot in preparation in the CAB Forum to adjust the 24-hour revocation rule to something more practical in cases of lower severity. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
