All, Section 5.1 of the CCADB Policy https://www.ccadb.org/policy#51-audit-statement-content now specifies required audit letter content very similar to what is currently in section 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed that much of the current language in MRSP § 3.1.4 be removed. GitHib Issue#239 <https://github.com/mozilla/pkipolicy/issues/239>. However, two items do not appear in the CCADB’s list of required audit content—(1) locations audited or not audited and (2) auditor qualifications. Therefore, we are proposing the following language for the first paragraph of section 3.1.4.
--- Begin MRSP Edit --- The publicly-available documentation relating to each audit MUST contain the information required by section 5.1 of the CCADB Policy and the CA locations that were or were not audited. Audit reports must also contain or be accompanied by the name of the lead auditor and qualifications of the team performing the audit, as required by section 3.2. --- End MRSP Edit --- See also https://github.com/Mozilla/pkipolicy/compare/bf36841af0686676f0435769db8c641d7d17dfb3..8968d9b6fedc1f94f4afa6a59ce609b759f497e6 Please provide us with your comments or suggestions. Thanks, Ben and Kathleen -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaLhwr3Bur1zF-kiJ%2BMyF4ye3kmoO%3DSfVArg5Yv7689AA%40mail.gmail.com.
