On Tue, August 5, 2014 10:26 am, Kathleen Wilson wrote: > On 7/29/14, 2:00 PM, Kathleen Wilson wrote: > > All, > > > > Thank you to those of you who have reviewed and commented on this > > inclusion request from CFCA. I will appreciate your opinions in response > > to my questions below regarding how to move forward with this request. > > > > Note that the CFCA GT CA root was included in Microsofts program in > > December 2012, and the CFCA EV ROOT root was included in Microsofts > > program in May 2013. > > > > > >> > >> On a matter of process/procedure, > > > So, shall we proceed with approval/inclusion of the "CFCA EV ROOT" cert > after verifying that CFCA has addressed the issues noted in this > discussion? > > Or, shall we require another audit before we proceed with > approval/inclusion of the "CFCA EV ROOT" cert? > > Kathleen
Kathleen, Given the compliance issues that were identified, and the number of them, it's difficult to believe the auditor matches the criteria of "competent party", pursuant to sections 12 - 16 of the Mozilla Inclusion Policy. Per Section 16, it seems the burden is on the CA to establish the competence of the third party. This is somewhat distressing, since the auditor was PricewaterhouseCoopers, whose only other WebTrust audits (per https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ ) is for the SECOM Roots. It's worth noting that the suitability of this auditor has been discussed in the past ( https://groups.google.com/d/msg/mozilla.dev.security.policy/riLXu3ZJNso/HPOvC_5c0sUJ ), and that PricewaterhouseCoopers was also responsible for the Diginotar Audit. While it is ultimately the decision of Mozilla, per the inclusion policy, as to whether the auditor meets criteria, the evidence and experience gathered so far I believe casts a serious shadow. Respectfully, and individually, I think the issues here are egregious enough, and in sufficient number, to request a new audit by a new auditor, pursuant with Mozilla's policies of requiring the CA to establish the competence of the auditor. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
