On Wed, 24 Jul 2019 16:41:53 +0000 Rob Stradling via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> [Wearing crt.sh hat] > > https://crt.sh/mozilla-disclosures now has two new buckets: > - Disclosed, but with Inconsistent Audit details > - Disclosed, but with Inconsistent CP/CPS details > > (I started discussing this new feature with Kathleen, Wayne and > Sleevi off-list a few months ago, but I was not able to finish > implementing it until a few days ago). > > I've also made the checks for the "Disclosure Incomplete" bucket > stricter. Missing/incomplete disclosures of BR and/or EV audits are > now flagged. Thanks, Rob. This is a really valuable feature. I noticed some false positives, for example where one disclosure URL refers directly to the CP/CPS and the other refers to a repository page which links to the CP/CPS. Perhaps it's time to require CAs to disclose the URL of the actual CP/CPS rather than a repository page, as discussed a few months ago: https://groups.google.com/d/msg/mozilla.dev.security.policy/DyF-5NcYpJI/UNoF46XXAgAJ Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
