On Tue, Jun 2, 2020 at 10:25 PM Paul Walsh via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> I dislike being added to lists as much as the next person. There are > numerous reasons for what might have happened. Had you setup an address for > the purpose of contacting them, or any other company, you’d know for sure. > > My personal approach would be to ask them before emailing the list. And > I’m not pointing the finger because you decided to email the list :)) > > I’ve received some unsolicited emails from people here, but I’m lucky > because I appreciated each one - but they weren’t marketing emails. > > - Paul > > > >> On Jun 2, 2020, at 6:38 PM, Benjamin Seidenberg via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Greetings: > > > > Today, I received a marketing email from one of the CAs in Mozilla's > > program (Sectigo). As far as I know, the only interactions I've ever had > > with this CA where they would have gotten my name and email address would > > be from me submitting problem reports to them (for compromised private > > keys). Therefore, I can only assume that they mined their problem report > > submissions in order to generate their marketing contact lists. As did I, not having done any business with Sectigo, on my personal email, which I’ve only ever used for problem reporting with them. > > > > This leads to two questions: > > > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > > aware of anything in the BRs or Mozilla policy that speak to this, but > > there are many other standards, documents, audit regimes, etc., which are > > incorporated by reference that I am not familiar with, and so it's > possible > > one of them has something to say on this issue. > I’m not aware of any, although it seems a rather brazen and distasteful practice. > > > 2.) While I felt like this practice (if it happened the way I assumed) is > > inappropriate, is there a consensus from others that that is the case? If > > so, is there any interest in adding requirements to Mozilla's Policy > about > > handling of information from problem reports received by CAs? I think something more concrete is useful here before contemplating. I’m supportive of policies preventing such crass usages, but I’m worried CAs already take very liberal interpretations of things to be kept private in order to avoid transparency, and this might further embolden such shenanigans. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
