On Thu, Jun 05, 2025 at 02:04:36PM -0600, Jeremy Rowley wrote: > Actually - the more I think about it, the more I like Mike's idea. You > could split the document into 3 components: > 1) What does the CA do to meet its compliance requirements, > 2) What are the cert profiles the CA is issuing > 3) What are the items the CA is doing that are compliance requirements but > are there for more description on how the CA operates > > Mistakes in any of the 3 require an incident report (to ensure > transparency) but mistakes in 1 or 2 definitely require revocation. > > Requiring an incident report still encourages accuracy on part 3 but it > also warns relying parties that parts of this can be fixed without > revocation.
Revocation might be a blunt instrument of limited effectiveness, but as a means of notifying relying parties of a misissued certificate it is almost infinitely better than an incident report posted to Bugzilla. - Matt -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/32c182b1-05f1-40d4-a53f-9816a6393aa0%40mtasv.net.
