Hi Ryan, The answer to your questions.
A remediation plan is only useful in cases of slight CA non-compliance to the rules set forth by the root store policy. A remediation plans in cases of slight CA non-compliance provides assurance of CA commitment to compliance. A CA under investigation of serious non-compliance with detailed documented evidence of non-compliance incidents has reach the stage of no return. A remediation plan in the cases of serious non-compliance is a reference document in the case of new root inclusion as documented evidence of commitment to compliance. The CA roots should be removed in the case of serious non-compliance and asked to reapply for inclusion again to the root store with new roots and new commitment to compliance with new audits from a different auditor and reformed practices and management. Thank you Burton On Wed, 27 Jan 2021, 19:54 Ryan Sleevi, <r...@sleevi.com> wrote: > > > On Wed, Jan 27, 2021 at 2:45 PM Burton <j...@0.me.uk> wrote: > >> I included the remediation plan in the proposal because a CA will mostly >> always include a remediation plan when they reach the stage of serious >> non-compliance investigation by root store policy owners. >> > > Sure, but I was more asking: are you aware of any point in the past where > the remediation plan has been valuable, useful or appropriate? I'm not. > > The expectation is continuous remediation, so any remediation plan at a > later stage seems too little, too late, right? The very intentional goal of > the incident reporting was to transition to a continuous improvement > process, where the CA was evaluated based on their > contemporaneous remediation to incidents, rather than waiting until things > get so bad they pile up and a remediation plan is used. > > So I'm trying to understand what a remediation plan would include, during > discussion, that wouldn't (or, more explicitly, shouldn't) have been > included in the incident reports as they happened? > >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
