Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, I've modified the proposed change to MRSP section 3.2 so that it would now insert a middle paragraph that would read: "A Qualified Auditor MUST have relevant IT Security experience, or have audited a number of CAs, and be independent and not conflicted. Individuals have competence,

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

On Tue, 9 Feb 2021 14:29:15 -0700 Ben Wilson via dev-security-policy wrote: > All, > GlobalSign has provided a very detailed incident report in Bugzilla - > see https://bugzilla.mozilla.org/show_bug.cgi?id=1690807#c2. > There are a few remaining questions that still need to be answered, > so

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

Here is an edit to proposed subparagraph 11 of MRSP section 3.1.4: The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: 11. all incidents (as defined in section 2.4), including those reported in Bugzilla, that were: *

Re: Public Discussion of GlobalSign's CA Inclusion Request for R46, E46, R45 and E45 Roots

On Thu, Feb 11, 2021 at 1:11 PM Nick Lamb via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I have a question (if I should write it in Bugzilla instead please say > so it is unclear to me what the correct protocol is) > While Mozilla Policy permits discussion in both, I

Policy 2.7.1: MRSP Issue #221: Wrong hyperlink for "Material Change" in MRSP Section 8

All, I am proposing for v. 2.7.1 a minor change that corrects a hyperlink issue in MRSP section 8. The link to "material change" here redirects to "alteration of instruments" - https://legal-dictionary.thefreedictionary.com/Material+Changes, which is altogether wrong since we're talking about a