All,
I am running into a problem with BR audit statements that list details
about issues that have been found.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements
"...The first BR audit for each CA and subCA may include a reasonable
list of BRs that the CA (or subCA) is not yet in compliance with. ..."
The problem is that some BR audit statements provide information about
the CA's BR non-conformance that the CA considers to be sensitive (and
non-publishable) information.
As you know, Mozilla's policy requires public-facing audit statements.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
"6. ... provide public attestation of their conformance to the stated
verification requirements ..."
So, I need a way forward that enables the CA to provide the required BR
audit statement without publicly disclosing sensitive information.
Just brainstorming...
Would it be OK to accept public-facing BR audit statements that have the
information about the issues redacted?
In the spreadsheet of included roots, I could add a column to list BR
section numbers that were in the redacted information.
I will appreciate thoughtful and constructive input on this topic.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
