On Wed, Jan 27, 2021 at 2:45 PM Burton <j...@0.me.uk> wrote: > I included the remediation plan in the proposal because a CA will mostly > always include a remediation plan when they reach the stage of serious > non-compliance investigation by root store policy owners. >
Sure, but I was more asking: are you aware of any point in the past where the remediation plan has been valuable, useful or appropriate? I'm not. The expectation is continuous remediation, so any remediation plan at a later stage seems too little, too late, right? The very intentional goal of the incident reporting was to transition to a continuous improvement process, where the CA was evaluated based on their contemporaneous remediation to incidents, rather than waiting until things get so bad they pile up and a remediation plan is used. So I'm trying to understand what a remediation plan would include, during discussion, that wouldn't (or, more explicitly, shouldn't) have been included in the incident reports as they happened? > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy