Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-10-28 Thread Wayne Thayer via dev-security-policy
On Tue, Oct 22, 2019 at 7:41 PM Ryan Sleevi wrote: > > On Tue, Oct 22, 2019 at 9:51 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I have added this proposal to the 2.7 branch: >> >>

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-10-22 Thread Ryan Sleevi via dev-security-policy
On Tue, Oct 22, 2019 at 9:51 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have added this proposal to the 2.7 branch: > > https://github.com/mozilla/pkipolicy/commit/fa843039285b10030490c7eb54d1b754edae1fbc > > I will greatly appreciate everyone's

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-10-22 Thread Wayne Thayer via dev-security-policy
Having received no comments, I did not add the proposed guidance on status update frequency, but I did make the "marked as resolved" change that Jeremy suggested: https://github.com/mozilla/pkipolicy/commit/bad3fedc10e1fe9d5237760093ad235326e3bd62 An additional related change has been proposed in

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-10-04 Thread Wayne Thayer via dev-security-policy
Jeremy Rowley posted the following comments in a separate thread: One suggestion on incident reports is to define "regularly update" as some > period of time as non-responses can result in additional incident reports. > Maybe something along the lines of "the greater of every 7 days, the time >

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-04-23 Thread Wayne Thayer via dev-security-policy
On Tue, Apr 16, 2019 at 12:02 PM Wayne Thayer wrote: > > I've drafted a specific proposal for everyone's consideration: > > > https://github.com/mozilla/pkipolicy/commit/5f1b0961fa66f824adca67d7021cd9c9c62a88fb > > Having received no new comments on this proposal, I'll consider this issue closed

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-04-16 Thread Wayne Thayer via dev-security-policy
On Fri, Mar 29, 2019 at 11:59 AM Wayne Thayer wrote: > On Thu, Mar 28, 2019 at 5:29 PM Ryan Sleevi wrote: > >> >> On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: >> >>> On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: >>> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-03-29 Thread Wayne Thayer via dev-security-policy
On Thu, Mar 28, 2019 at 5:29 PM Ryan Sleevi wrote: > > On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: > >> On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: >> >>> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < >>> dev-security-policy@lists.mozilla.org> wrote: >>>

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-03-28 Thread Ryan Sleevi via dev-security-policy
On Thu, Mar 28, 2019 at 7:42 PM Wayne Thayer wrote: > On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: > >> On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >>> **Incidents** >>> > When a CA fails to comply with any

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-03-28 Thread Wayne Thayer via dev-security-policy
On Thu, Mar 28, 2019 at 4:11 PM Ryan Sleevi wrote: > > On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> We currently expect CAs to deliver incident reports whenever they fail to >> comply with our policy, but this is not

Re: Policy 2.7 Proposal: Incident Reporting Updates

2019-03-28 Thread Ryan Sleevi via dev-security-policy
On Thu, Mar 28, 2019 at 6:45 PM Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We currently expect CAs to deliver incident reports whenever they fail to > comply with our policy, but this is not a requirement of our policy. There > is no obvious place to

Policy 2.7 Proposal: Incident Reporting Updates

2019-03-28 Thread Wayne Thayer via dev-security-policy
We currently expect CAs to deliver incident reports whenever they fail to comply with our policy, but this is not a requirement of our policy. There is no obvious place to add this in the existing policy, so I propose creating a new top-level section that reads as follows: **Incidents** > When a