I dislike being added to lists as much as the next person. There are numerous reasons for what might have happened. Had you setup an address for the purpose of contacting them, or any other company, you’d know for sure.
My personal approach would be to ask them before emailing the list. And I’m not pointing the finger because you decided to email the list :)) I’ve received some unsolicited emails from people here, but I’m lucky because I appreciated each one - but they weren’t marketing emails. - Paul >> On Jun 2, 2020, at 6:38 PM, Benjamin Seidenberg via dev-security-policy >> <dev-security-policy@lists.mozilla.org> wrote: > Greetings: > > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists. > > This leads to two questions: > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. > > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? > > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. > > Good Day, > Benjamin > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
