On Thu, Jan 28, 2021 at 3:05 PM Ben Wilson <bwil...@mozilla.com> wrote:
> Thanks. My current thinking is that we can leave the MRSP "as is" and > that we write up what we want in > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, > which is, as you note, information about members of the audit team and how > individual members meet #2, #3, and #6. > Is this intended as a temporary fix until the issue is meaningfully addressed? Or are you seeing this as a long-term resolution of the issue? I thought the goal was to make the policy clearer on the expectations, and my worry is that it would be creating more work for you and Kathleen, and the broader community, because it puts the onus on you to chase down CAs to provide the demonstration because they didn't pay attention to it in the policy. This was the complaint previously raised about "CA Problematic Practices" and things that are forbidden, so I'm not sure I understand the distinction/benefit here from moving it out? I think the relevance to MRSP is trying to clarify whether Mozilla thinks of auditors as individuals (as it originally did), or whether it thinks of auditors as organizations. I think that if MRSP was clarified regarding that, then the path you're proposing may work (at the risk of creating more work for y'all to request that CAs provide the information that they're required to provide, but didn't know that). If the issue you're trying to solve is one about whether it's in the audit letter vs communicated to Mozilla, then I think it should be possible to achieve that within the MRSP and explicitly say that (i.e. not require it in the audit letter, but still requiring it). Just trying to make sure I'm not overlooking or misunderstanding your concerns there :) > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy