All, In response to Tim Hollebeek's recent email on this topic ( https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/HJDtlQEfUsY/m/1t6s5G2rAgAJ), I have added a reference to CCADB Policy version 1.2.3. Unless there are additional comments, I am assuming that discussion on this topic can now be closed. Here is a reference to the currently proposed language: https://github.com/BenWilson-Mozilla/pkipolicy/commit/117054ecf1eff757cfebe40d7c952ce1e3fca920 . Thanks, Ben
On Thu, Jun 29, 2023 at 8:44 AM Ben Wilson <bwil...@mozilla.com> wrote: > Hi Pedro, > If the CA has two sites, one primary and one secondary, and if the > secondary site hasn't been audited during the audit period, then the audit > letter should mention that. > Thanks, > Ben > > On Thu, Jun 29, 2023 at 1:39 AM Pedro Fuentes <pfuente...@gmail.com> > wrote: > >> Hi Ben, >> I'm a bit puzzled about how to specify the locations that "were not >> audited". >> What does this mean? >> Thanks! >> Pedro >> >> El martes, 27 de junio de 2023 a las 17:37:44 UTC+2, Ben Wilson escribió: >> >>> All, >>> >>> Section 5.1 of the CCADB Policy >>> https://www.ccadb.org/policy#51-audit-statement-content now specifies >>> required audit letter content very similar to what is currently in section >>> 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed >>> that much of the current language in MRSP § 3.1.4 be removed. GitHib >>> Issue#239 <https://github.com/mozilla/pkipolicy/issues/239>. However, >>> two items do not appear in the CCADB’s list of required audit content—(1) >>> locations audited or not audited and (2) auditor qualifications. Therefore, >>> we are proposing the following language for the first paragraph of section >>> 3.1.4. >>> >>> --- Begin MRSP Edit --- >>> >>> The publicly-available documentation relating to each audit MUST contain >>> the information required by section 5.1 of the CCADB Policy and the CA >>> locations that were or were not audited. Audit reports must also contain or >>> be accompanied by the name of the lead auditor and qualifications of the >>> team performing the audit, as required by section 3.2. >>> >>> --- End MRSP Edit --- >>> >>> See also >>> https://github.com/Mozilla/pkipolicy/compare/bf36841af0686676f0435769db8c641d7d17dfb3..8968d9b6fedc1f94f4afa6a59ce609b759f497e6 >>> >>> Please provide us with your comments or suggestions. >>> >>> Thanks, >>> >>> Ben and Kathleen >>> >> -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ2-0NY1J-mQyZh4Y_E0KEQu0_N0sUT_xbE9_i6McZimQ%40mail.gmail.com.
