On Fri, Apr 20, 2018 at 12:33 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> At this point we have a few choices:
>
> 1. Do nothing about requiring email as a problem reporting mechanism.
> Instead, take on the related issues of disclosure of the reporting
> mechanism and receipt confirmation in Mozilla policy, via the CAB Forum, or
> both.
> 2. Go ahead with the proposal to require email, but allow CAs to require
> some special, but standardized identifier be placed in the message that
> they can filter on. For example, CAs could ignore messages sent to their
> problem reporting address unless the subject contains the phrase "problem
> report".
> 3. Develop some new problem reporting mechanism that solves the problems
> with email and forms. For example, we could require CAs to accept problem
> reports posted to this list, but build in some additional time in which to
> "receive" the report by reading list messages. Or we could require CAs to
> accept problem reports via Bugzilla. We already see problems being reported
> via these mechanisms and require CAs to monitor both of them, just not on a
> 24x7 basis.
>
> The first option ('do nothing') is currently in the lead, so I would
> especially like to hear from anyone who wants to argue for a different
> solution.
>
>
This discussion has resulted in no agreed-upon changes to the Mozilla
policy. I will close the issue on GitHub [1], and I also plan to propose a
CAB Forum ballot that includes the requirement for CAs to disclose their
problem reporting mechanism in section 1.5.2 of their CPS.
- Wayne
[1] https://github.com/mozilla/pkipolicy/issues/98
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
