I just noticed that my response to David's question was only sent to his (nobody@nowhere.invalid) reply address and not to the list.
On Wed, Sep 26, 2018 at 4:41 PM David E. Ross via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 9/26/2018 3:21 PM, Wayne Thayer wrote: > > I've held this discussion open for much longer than 3 weeks due to the > > qualified audit reports that were received from Camerfirma. Since no > > objections to the acquisition have been raised and the audit issues are > > being discussed separately [1][2], I would like to close this discussion > > and the corresponding bug [3] with a "positive conclusion" as required by > > policy section 8.1 If you have concerns with this action, please respond > by > > the end of this week. > > Should not a "positive conclusion" be withheld until the issues leading > to qualified reports are resolved? > > This isn't an inclusion request - the roots are already trusted and the CA continues to issue certificates. The lack of a "positive conclusion" would really mean that we have to take action to distrust the roots, and that is no different than what I could imagine happening if the audit qualifications hadn't been successfully remediated [1]. I've gone ahead and closed the acquisition bug on this basis. - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1478933 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1463597 -- > David E. Ross > <http://www.rossde.com> > > Too often, Twitter is a source of verbal vomit. Examples include Donald > Trump, Roseanne Barr, and Elon Musk. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy