Hi Ryan, These are good questions! I'll get back to you tomorrow with the answers to your questions. I want to research and give you the right information.
Thank you Burton On Wed, Jan 27, 2021 at 7:54 PM Ryan Sleevi <r...@sleevi.com> wrote: > > > On Wed, Jan 27, 2021 at 2:45 PM Burton <j...@0.me.uk> wrote: > >> I included the remediation plan in the proposal because a CA will mostly >> always include a remediation plan when they reach the stage of serious >> non-compliance investigation by root store policy owners. >> > > Sure, but I was more asking: are you aware of any point in the past where > the remediation plan has been valuable, useful or appropriate? I'm not. > > The expectation is continuous remediation, so any remediation plan at a > later stage seems too little, too late, right? The very intentional goal of > the incident reporting was to transition to a continuous improvement > process, where the CA was evaluated based on their > contemporaneous remediation to incidents, rather than waiting until things > get so bad they pile up and a remediation plan is used. > > So I'm trying to understand what a remediation plan would include, during > discussion, that wouldn't (or, more explicitly, shouldn't) have been > included in the incident reports as they happened? > >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy