On 8/27/14, 9:15 AM, Kathleen Wilson wrote:
Based on the discussion so far, I think the answer is that the CAs need
to work with their auditors to create a public-facing audit statement
that does not have information in it that the CA considers sensitive,
but that sufficiently lists the BRs that the CA is still working to
conform with.
I added text about this to
https://wiki.mozilla.org/CA:BaselineRequirements#BR_Audits
==
As with the other audits required of CAs in Mozilla's Program, the BR
Audit statement must be a public-facing document. Section 6 of Mozilla's
CA Certificate Inclusion Policy says: "We require that all CAs whose
certificates are distributed with our software products: ... publicly
disclose information about their policies and business practices (e.g.,
in a Certificate Policy and Certification Practice Statement); ...
provide *public attestation* of their conformance to the stated
verification requirements and other operational criteria by a competent
independent party or parties with access to details of the CA’s internal
operations."
As previously stated, it is acceptable for an audit statement to list
the BRs that the CA is not yet fully in compliance with. However, this
may result in an auditor providing information in the BR audit statement
that the CA considers sensitive (e.g. subordinate CA specifics, RA
information, customer information, or security sensitive information).
Each CA must work with their auditor to create a public-facing BR audit
statement that does not have information in it that the CA considers
sensitive, but that sufficiently lists the BRs that the CA is still
working to conform with.
Here are some examples of the level of information that should be
included in the BR audit statement in regards to BRs that the CA is not
yet fully conforming to.
BR 9.5 – 1024-bit certs with validity beyond 2013 (in order to
support legacy customer apps)
BR 13.2.6 - OCSP giving status “good” for unknown serial numbers.
BR 16.5 - multi-factor authentication for all accounts capable of
directly causing certificate issuance
BR 17.5 - The audit period for the Delegated Third Party SHALL NOT
exceed one year
BR 17.8 – audits on at least a quarterly basis against a randomly
selected sample of the greater of one certificate or at least three
percent of the Certificates issued by it during the period commencing
immediately after the previous self-audit sample was taken
BR 11.2 – re-verifying identity for cert renewal requests
==
I'll appreciate feedback on this.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
