On Fri, Apr 20, 2018 at 12:33 PM, Wayne Thayer <wtha...@mozilla.com> wrote:
> At this point we have a few choices: > > 1. Do nothing about requiring email as a problem reporting mechanism. > Instead, take on the related issues of disclosure of the reporting > mechanism and receipt confirmation in Mozilla policy, via the CAB Forum, or > both. > 2. Go ahead with the proposal to require email, but allow CAs to require > some special, but standardized identifier be placed in the message that > they can filter on. For example, CAs could ignore messages sent to their > problem reporting address unless the subject contains the phrase "problem > report". > 3. Develop some new problem reporting mechanism that solves the problems > with email and forms. For example, we could require CAs to accept problem > reports posted to this list, but build in some additional time in which to > "receive" the report by reading list messages. Or we could require CAs to > accept problem reports via Bugzilla. We already see problems being reported > via these mechanisms and require CAs to monitor both of them, just not on a > 24x7 basis. > > The first option ('do nothing') is currently in the lead, so I would > especially like to hear from anyone who wants to argue for a different > solution. > > This discussion has resulted in no agreed-upon changes to the Mozilla policy. I will close the issue on GitHub [1], and I also plan to propose a CAB Forum ballot that includes the requirement for CAs to disclose their problem reporting mechanism in section 1.5.2 of their CPS. - Wayne [1] https://github.com/mozilla/pkipolicy/issues/98 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy