On Wednesday, June 3, 2020 at 2:38:33 AM UTC+1, Benjamin Seidenberg wrote: > Greetings: > > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists. > > This leads to two questions: > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. > > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? > > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. > > Good Day, > Benjamin
Benjamin, Ryan, Apologies. Both of your email addresses did have a message sent to you from Sectigo in the past day or two regarding an upcoming webinar, which should not have been sent to you. Both of your contacts were within our centralised ticketing and CRM system from your previous abuse reports. A subset of users in the group for certificate and malware abuse were incorrectly contacted. We have now marked all contact addresses who have submitted certificate and malware abuse reports as opt-out, and this will cover new reports going forward. I believe at least Benjamin followed the opt-out link, which we have already taken action on. Apologies once again - we do not wish for this to discourage the abuse reports we receive from the community. Thanks, Nick _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
