Hi Kathleen,
Thank you very much for the clarifications. If I'm understanding correctly, it 
sounds like Mozilla is considering to add sub-items of item 4 on the survey as 
Mozilla Root Program requirements if the associated CAB Forum ballot does not 
pass. However, there is concern that many CAs may not be compliant with these 
requirements, so the purpose of the survey is to gauge potential impact to CAs 
so that effective dates can be set such that CAs can react appropriately as 
well as to gather data to better inform Mozilla's position in the CAB Forum. 
Is that a correct assessment of the purpose of question 4?

As for creating GitHub issues, while I can't speak for other CAs, our team 
regularly reads MDSP but also checks the Issues list on Github (albeit less 
frequently) to stay on top of potential policy changes. So I'd say as long as 
potential policy changes are discussed (or at the very least, mentioned) on 
MDSP, we don't need a corresponding Github issue to be aware.

Having reviewed the Browser Alignment ballot in more detail, I have several 
concerns, but in the spirit of progressing the conversation forward in the CAB 
Forum, I'll raise them there.

Thanks,
Corey

> -----Original Message-----
> From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org>
> On Behalf Of Kathleen Wilson via dev-security-policy
> Sent: Friday, May 1, 2020 1:29 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: DRAFT May 2020 CA Communication/Survey
>
> On 5/1/20 9:48 AM, Corey Bonnell wrote:
> > Hi Kathleen,
> > Thank you for sending out this notification of the draft survey. I have 
> > briefly
> reviewed and would like to ask what is the intent of Item 4 and the
> associated sub-items? The Browser Alignment draft ballot is under discussion
> in the CAB Forum, so the intent behind the shift of the location of 
> discourse
> to the Mozilla forum is unclear.
> >
> > Thanks,
> > Corey
> >
>
> Hi Corey,
>
> We do not intend to shift the location of the discourse.
>
> The intent of Item 4 and the associated sub-items in our survey is to help
> Mozilla with the specific questions/concerns that we have about the ballot,
> so that we can use input from CAs in our program to recommend changes to
> the draft. It is relatively easy to tack our questions about this draft 
> ballot onto
> our CA Communication/survey, and the results will give us the data we are
> currently lacking.
>
> Currently some of my concerns about the draft of the ballot have no data
> behind them. While I think it is good to add many of those items in the 
> ballot
> to the BRs, I am concerned about the effective dates of "immediately" or
> "Sept 1". I don't want to end up with a bunch of cert revocations caused by
> effective dates that should have been changed while the ballot was in draft
> form. I also don't want to see the entire ballot fail just because we didn't
> have the data to reasonably update the draft of the ballot.
>
> Note: There are some items in the ballot that we (Mozilla) might request be
> removed, but that input will be provided by Mozilla's CABF representatives
> (Ben and Wayne) directly into the CABF discussion forum.
>
> I will greatly appreciate your thoughts on how to better ask the questions 
> in
> item 4 of our survey, to clarify our intent, and be able to get the data 
> that we
> seek.
>
> Thanks,
> Kathleen
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://scanmail.trustwave.com/?c=4062&d=zdys3gH7zHjY6V2sYd-
> 9JR90haa22ypk0rHi9NROwQ&s=5&u=https%3a%2f%2flists%2emozilla%2eorg
> %2flistinfo%2fdev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to