Jeremy Rowley posted the following comments in a separate thread: One suggestion on incident reports is to define "regularly update" as some > period of time as non-responses can result in additional incident reports. > Maybe something along the lines of "the greater of every 7 days, the time > period specified in the next update field by Mozilla, or the time period > for the next update as agreed upon with Mozilla". I'd also change "the > corresponding bug is resolved by a Mozilla representative" to "the > corresponding bug is marked as resolved in bugzilla by a Mozilla > representative" since the CA is resolving the actual bug, and Mozilla is > managing its perception on the bug's status. >
While I agree with the intent, I do fear that something this strict in policy creates the wrong incentives (e.g. bots that auto-comment bugs with no real updates, and others that create new incidents after 7 days and one second). I'd be okay with adding something like "CAs SHOULD update status weekly and MUST provide status updates at least every 30 days unless otherwise agreed by a Mozilla representative." The addition of "marked as resolved" makes sense to me. On Tue, Apr 23, 2019 at 4:15 PM Wayne Thayer <wtha...@mozilla.com> wrote: > > On Tue, Apr 16, 2019 at 12:02 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> >> I've drafted a specific proposal for everyone's consideration: >> >> >> https://github.com/mozilla/pkipolicy/commit/5f1b0961fa66f824adca67d7021cd9c9c62a88fb >> >> > Having received no new comments on this proposal, I'll consider this issue > closed and plan to include it in policy version 2.7. > > - Wayne > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
