On Sunday, January 24, 2021 at 11:58:29 AM UTC-8, Ramiro Muñoz wrote: <snip> > > Thanks everyone for your valuable contribution to the discussion. We’ve > prepared a throughful Remediation Plan that addresses all areas of > improvement emerged both in this public discussion as well as direct contacts > with some of the members > https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing. > The plan is very ambitious but, we’ve our BoD commitment to align Camerfirma > to the highest level of standards of the Mozzilla community. Please feel free > send us any request for clarification or any suggestion to improve the > attached document.
The remediation plan seems to raise, not eliminate issues: - Action point 1 raises the possibility that anomalous actions are possible. Why aren't the issuance processes automated and logged already? - Action point 2 will not work. Humans are bad at monitoring for rare conditions. Some of the issues were not misspellings or confusion over the name of a company, but syntactic defects that machines could detect. It should at minimum be paired with automated validation. - Action point 5 should already be achieved as a result of commitments made in https://bugzilla.mozilla.org/show_bug.cgi?id=1390977#c30 - Action point 9 should be trivial. But it isn't. Why not? Beyond that all of these are actions that should have been undertaken in remediation of the past issues when they happened. I see very little that would remediate the risks of missussance, such as e.g exiting the sub-CA business, and migrating to a proven CA infrastructure rather than the homegrown one that seems to give operators plenty of scope to make mistakes. There's no issuance freeze to permit these necessary controls to be in place before resuming. Sincerely, Watson Ladd > > Thanks for your contribution. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
