Having received no comments, I did not add the proposed guidance on status update frequency, but I did make the "marked as resolved" change that Jeremy suggested: https://github.com/mozilla/pkipolicy/commit/bad3fedc10e1fe9d5237760093ad235326e3bd62
An additional related change has been proposed in issue #193 [1]: require incident disclosure transitively for all sub-CAs. In the issue, it was pointed out that the expectations for incident reporting by subordinate CAs might not be clear, and a number of options were presented. I proposed that the most important point to make in policy is that Mozilla holds the program member (i.e. root CA) accountable. Ryan suggested the following addition to the list of requirements in section 2.1 to clarify this requirement: The CA whose certificates are included in Mozilla's root program MUST ensure that all certificates within the scope of this policy, as described in Section 1.1, adhere to this policy. I have added this proposal to the 2.7 branch: https://github.com/mozilla/pkipolicy/commit/fa843039285b10030490c7eb54d1b754edae1fbc I will greatly appreciate everyone's feedback on these changes. - Wayne [1] https://github.com/mozilla/pkipolicy/issues/193 On Fri, Oct 4, 2019 at 4:22 PM Wayne Thayer <wtha...@mozilla.com> wrote: > Jeremy Rowley posted the following comments in a separate thread: > > One suggestion on incident reports is to define "regularly update" as some >> period of time as non-responses can result in additional incident reports. >> Maybe something along the lines of "the greater of every 7 days, the time >> period specified in the next update field by Mozilla, or the time period >> for the next update as agreed upon with Mozilla". I'd also change "the >> corresponding bug is resolved by a Mozilla representative" to "the >> corresponding bug is marked as resolved in bugzilla by a Mozilla >> representative" since the CA is resolving the actual bug, and Mozilla is >> managing its perception on the bug's status. >> > > While I agree with the intent, I do fear that something this strict in > policy creates the wrong incentives (e.g. bots that auto-comment bugs with > no real updates, and others that create new incidents after 7 days and one > second). I'd be okay with adding something like "CAs SHOULD update status > weekly and MUST provide status updates at least every 30 days unless > otherwise agreed by a Mozilla representative." > > The addition of "marked as resolved" makes sense to me. > > On Tue, Apr 23, 2019 at 4:15 PM Wayne Thayer <wtha...@mozilla.com> wrote: > >> >> On Tue, Apr 16, 2019 at 12:02 PM Wayne Thayer <wtha...@mozilla.com> >> wrote: >> >>> >>> I've drafted a specific proposal for everyone's consideration: >>> >>> >>> https://github.com/mozilla/pkipolicy/commit/5f1b0961fa66f824adca67d7021cd9c9c62a88fb >>> >>> >> Having received no new comments on this proposal, I'll consider this >> issue closed and plan to include it in policy version 2.7. >> >> - Wayne >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
