On Tue, Nov 26, 2019 at 6:10 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, 25 Nov 2019 14:12:46 -0800 > Kathleen Wilson via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > > CAs should have been keeping track of and resolving their own known > > problems in regards to not fully following the BRs and Mozilla > > policy. For example, I expect that a situation in which I responded > > with an OK in 2016 would have been corrected in the 3 years since > > that email was written. > > Perhaps to this end it would be useful for Mozilla's periodic survey > letters to always ask each CA to list any exceptional circumstances they > believe currently apply to them? > > We've included a question about complying with the intermediate audit requirements in the January survey, but not a more general question about exceptions. I feel that an open-ended question such as this will be confusing for CAs to answer, and moreover I don't want to create the impression that Mozilla grants exceptions for policy violations because, as a general rule, we don't. This would act both as a reminder to Mozilla of any such exceptions > which they granted but may have assumed meanwhile ceased to be > relevant, AND to the CA of any such exceptions upon which they find > themselves still relying. > > The publication of CA responses is an opportunity for Mozilla, Peers > and the wider community to comment on any discrepancy. > > > Nick. > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy