On Tue, Jun 24, 2014 at 10:17:17AM -0700, Ryan Sleevi wrote: > > However, if they address the problems that Erwann has specifically > identified, does that reasonably give the community confidence that the > audit - which failed to identify these - is competent and qualified? Is a > new audit required? If so, is the same auditor acceptable? > > Equally, as called out in the auditor's statement, no checks or procedures > were performed to determine the operating effectiveness of the controls, > for any period. Considering that a failure of controls led to TurkTrust > issuing improper certificates, and considering the findings found by > Erwann, it seems inappropriate to consider this CA for inclusion according > to Mozilla's policies (here, Section 17 of the Inclusion Policy)
Should we mandate that the audit should also audit the procedures? In my opinion the audit should: - Check that the CPS complies with all the requirements - Check that the CPS is being followed. I would also like that the software they use should enforce as much as possible and not rely on humans to check things that can be automated. That however does not mean it should only be checked by the software. I would also like clear rules on what happens when we detect that they do not follow the requirements. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
