ChristopherRC
commented
1 year ago It currently includes a should statement. However, this does depend on the reporter providing clear steps, status, and dates in response to the 7th topic in the incident report.
Incident reports should be updated when:
- Identifying changes to a step for resolution,
- Completion of a resolution step, or
- Delays in completing a resolution step.
We should add a section to https://www.ccadb.org/cas/incident-report that sets expectations about when and how frequently a CA should provide an update about their incident until it is fully resolved. e.g. If the CA provides a timeline for when they will take action (and that is accepted) then they must provide an update by each date set out in their timeline. Otherwise the CA should provide a weekly update until they have fully resolved the incident on their end and are just waiting for root store operators to request further actions, close the issue, or make other determinations...