Proposed whiteboard tag for non-incident "bugs"

[Rob Stradling]

A few years ago, Sectigo created https://bugzilla.mozilla.org/show_bug.cgi?id=1724476 in order to share information about our "Guard Rails" project.  Quoting that bug:

“Guard Rails” is a convenient name for a series of programmatic checks we are putting in place to confirm certificate orders for compliance with specific requirements before issuance can occur. Guard Rails are like Certificate Lints, except that they may be stricter than what CA/B Forum and root program policies require. By defining and adding these checks, we can eliminate potential sources of misissuance and achieve higher overall issuance quality. This initiative is borne in part from the understanding that human-based processes are fundamentally error prone, and to the degree we can implement defined machine processes, our error rate will go down. 

We took steps (comment #1) to avoid this bug being seen as an "incident" bug:

Since this bug is intended to be a repository for information and discussion rather than a response to any particular CA Compliance incident, I'm immediately marking it as RESOLVED INCOMPLETE and deliberately not putting [ca-compliance] in the Whiteboard field. We chose to deviate from the "<CA Name>: <Incident Summary>" bug title format for the same reason.

However, at some point since then somebody decided to add the "[ca-compliance]" whiteboard tag, which seems problematic to us.

In order to clearly identify this type of information sharing "bug", and even to encourage other CAs to consider doing likewise, we would like to propose a new whiteboard tag:

[ca-infosharing]

--

Rob Stradling

Distinguished Engineer

Sectigo Limited

[Clint Wilson]

Hi Rob,

This incident is a valuable example for the ecosystem of the steps that may be necessary for a CA to take when approaching compliance and incidents comprehensively, especially when incidents spiral or cascade into the discovery of more underlying or systemic issues than at first appearance. I would absolutely encourage other CAs to share (and continue sharing) similar information, as we see SSL.com working on with their reseller interactions or when Amazon provided a presentation at a recent CA/B Forum F2F. Even if the events from which CAs learned a great deal or which heavily impacted their ability to successfully comply with industry expectations and requirements are in the distant past, such retrospective analyses can be incredibly valuable no matter their timing.

I similarly support disclosing such "lessons learned" in Bugzilla and having a tag dedicated thereto seems appropriate -- especially if this becomes more common for CAs to do. Alternatively, if Mozilla would prefer organizing these in some other way, I'm not opposed; the goal here is discoverability and there are likely any number of ways to succeed in that goal.

Cheers!

-Clint

[Ben Wilson]

Hi Clint and Rob,

This is relatively easy to implement, and we can start immediately by just adding [ca-infosharing] in the whiteboard. I've added it to the Mozilla CA Program wiki - https://wiki.mozilla.org/CA/Bug_Triage#Whiteboard_Tags ("For non-incident "lessons learned" and other descriptions of comprehensive steps a CA might take when addressing compliance, or cascading incidents, or to share its compliance-related experiences for the benefit of the ecosystem"), and I'll get this added somewhere on the CCADB website.

Thanks,

Ben

--
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/2642e3b1-cbc0-4964-9743-b27851ff17b8n%40ccadb.org.