On Fri, Oct 09, 2020 at 06:33:22AM -0700, Tim Callan via dev-security-policy wrote: > We anticipate no meaningful changes required to policies, operations, or > personnel.
[...] > In this case the required changes are virtually nothing. These statements concern me somewhat, as reasonable people may have differing thresholds for "meaningful" and "virtually". Whilst publicly enumerating every possible change is impossible, I would urge Sectigo to err on the side of caution when it comes to evaulating whether a change is "meaningful". Given Sectigo's long and storied history of failures to meaningfully engage with the Mozilla community on Sectigo's misadventures, I doubt there is much appetite for a future in which "oh, we didn't think *that* was a meaningful change" figures heavily in incident reports. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy