Bugzilla

I’d like to clarify Mozilla’s expectations and address some of the important points raised here.

First, there is a difference between attempting to compare the internal operations of other CA operators and reviewing publicly documented incident reports and post-mortems. Mozilla does not expect Netlock to assess the internal processes of other CA operators, but we do expect it to review publicly available incident documentation in Bugzilla. This practice enables all CA operators to identify failure modes, remediations, and lessons learned, and to evaluate them against their own systems and controls.

Second, compliance with the CA/Browser Forum Baseline Requirements, CCADB policies, and Mozilla Root Store Policy is not contextual. These requirements apply uniformly, regardless of jurisdiction. While Mozilla recognizes that CA operators may function under different regulatory and operational conditions, such factors do not excuse or justify technical or procedural non-compliance. If local constraints affect a CA operator’s ability to meet these requirements, Mozilla expects that risk to be clearly identified, mitigated, or escalated.

Finally, to ensure clarity and proper tracking, Mozilla reiterates the request 1.) in Comment #10 that Netlock file a separate incident report addressing the identified incident-reporting non-compliance, consistent with CCADB incident reporting expectations (i.e. the report should describe the nature of the non-compliance, its root causes, the remediation measures taken, preventive measures implemented, etc.).

Mozilla values constructive, good-faith engagement and expects discussions to remain professional and respectful. At the same time, clear ownership of compliance obligations and demonstrable learning from ecosystem incidents are essential to maintaining trust.

I’d like to clarify Mozilla’s expectations and address some of the important points raised here.

First, there is a difference between attempting to compare the internal operations of other CA operators and reviewing publicly documented incident reports and post-mortems. Mozilla does not expect Netlock to assess the internal processes of other CA operators, but we do expect it to review publicly available incident documentation in Bugzilla. This practice enables all CA operators to identify failure modes, remediations, and lessons learned, and to evaluate them against their own systems and controls.

Second, compliance with the CA/Browser Forum Baseline Requirements, CCADB policies, and Mozilla Root Store Policy is not contextual. These requirements apply uniformly, regardless of jurisdiction. While Mozilla recognizes that CA operators may function under different regulatory and operational conditions, such factors do not excuse or justify technical or procedural non-compliance. If local constraints affect a CA operator’s ability to meet these requirements, Mozilla expects that risk to be clearly identified, mitigated, or escalated.

Finally, to ensure clarity and proper tracking, Mozilla reiterates the request 1.) in Comment #12 that Netlock file a separate incident report addressing the identified incident-reporting non-compliance, consistent with CCADB incident reporting expectations (i.e. the report should describe the nature of the non-compliance, its root causes, the remediation measures taken, preventive measures implemented, etc.).

Mozilla values constructive, good-faith engagement and expects discussions to remain professional and respectful. At the same time, clear ownership of compliance obligations and demonstrable learning from ecosystem incidents are essential to maintaining trust.

I’d like to clarify Mozilla’s expectations and address some of the important points raised here.

First, there is a difference between attempting to compare the internal operations of other CA operators and reviewing publicly documented incident reports and post-mortems. Mozilla does not expect Netlock to assess the internal processes of other CA operators, but we do expect it to review publicly available incident documentation in Bugzilla. This practice enables all CA operators to identify failure modes, remediations, and lessons learned, and to evaluate them against their own systems and controls.

Second, compliance with the CA/Browser Forum Baseline Requirements, CCADB policies, and Mozilla Root Store Policy is not contextual. These requirements apply uniformly, regardless of jurisdiction. While Mozilla recognizes that CA operators may function under different regulatory and operational conditions, such factors do not excuse or justify technical or procedural non-compliance. If local constraints affect a CA operator’s ability to meet these requirements, Mozilla expects that risk to be clearly identified, mitigated, or escalated.

Finally, to ensure clarity and proper tracking, Mozilla reiterates the requests in Comment #10 and Comment #12 that Netlock file a separate incident report addressing the identified incident-reporting non-compliance, consistent with CCADB incident reporting expectations (i.e. the report should describe the nature of the non-compliance, its root causes, the remediation measures taken, preventive measures implemented, etc.).

Mozilla values constructive, good-faith engagement and expects discussions to remain professional and respectful. At the same time, clear ownership of compliance obligations and demonstrable learning from ecosystem incidents are essential to maintaining trust.