Hi Ryan, I’m in the believe that CAs are a public service and as such they should provide public information regarding their operational status. The questions outlined below were open ended to provide CAs flexibility in the way they approach answering the questions.
I believe that the questions are of value to the community only if CAs cooperate by providing answers that are useful, brief and to the point instead of non useful throwaway answers. To end, I do hope that most if not all CAs answer these simple questions as it doesn’t look good if they don’t because CAs are about trust and trust is fulfilled by being open as they can be regarding their operations. Without said openness there is no trust. Thank you Burton I didn’t want CAs to disclose confidential informatio publicly I wanted to know On Mon, 23 Mar 2020 at 21:42, Ryan Sleevi <r...@sleevi.com> wrote: > > > On Mon, Mar 23, 2020 at 3:13 PM Burton via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> CAs, >> >> Please can you give a brief statement regarding these questions below: >> >> a) What’s your operational status at this time? >> >> b) Do you expect in the next six months to maintain an adequate >> operational >> status? >> >> c) If the worst case scenario does happen, what have you planned to >> maintain operationally? >> > > I think it's unlikely to get responses from many CAs. There is purely risk > here, with an unclear goal. I appreciate the clarity, but I also don't > think m.d.s.p. is necessarily a good venue for CA communications. For > example, if you'd like to submit this to Kathleen as a suggestion for a CA > communication, that might be a more productive endeavor. > > It also means that open ended questions like this may not get consistent > answers across CAs. For example, CA Foo might say their operational status > is "Case Nightmare Green" while CA Bar might say that their operational > status is "Major Tom" and CA Baz says "The eagle has left the nest". Those > are answers, but are they helpful? Similarly, "adequate" operational status > and "worst case" are equally ill-defined. > > In short, while I appreciate the curiosity, I don't think anything of > value can be gained from this thread, at least holistically. And it just > seems inherently risky for CAs to respond without that shared context. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
