Re: CFCA Root Inclusion Request

Tue, 02 Sep 2014 16:31:37 -0700 

On 6/19/14, 4:20 PM, Kathleen Wilson wrote:

This begins the discussion of the request from CFCA to include the “CFCA
GT CA” and “CFCA EV ROOT” root certificates, turn on all three trust
bits for the “CFCA GT CA” root certificate, turn on the websites trust
bit for the “CFCA EV ROOT” root certificate, and enable EV treatment for
the ““CFCA EV ROOT” certificate. At the conclusion of this discussion I
will provide a summary of issues noted and action items. If there are
outstanding issues, then an additional discussion may be needed as
follow-up.




During the course of this discussion, this request was changed to only 
be for inclusion of the "CFCA EV Root" certificate, turn on all three 
trust bits, and enable EV for that root certificate.


In this timeframe we also created and discussed a new wiki page:
https://wiki.mozilla.org/CA:BaselineRequirements

Currently
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes

says: "When egregious mistakes were overlooked by the auditor or there 
are a significant number of oversights, then the CA must resolve the 
issues and be re-audited. For the re-audit the CA can either get 
re-audited by a different auditor, or have the current auditor provide 
an immediate plan for correction and compliance, and then present a 
mid-term partial audit following that plan. ..."



I propose to close this discussion with the following action items:


ACTION CFCA: state (in the bug) their plan for remediation of all of the 
issues noted in this discussion.



ACTION CFCA: Decide if they will be re-audited by the same auditor, or 
by a different auditor.



ACTION PwC: If CFCA's decision is to use the same auditor, then provide 
a plan to improve audits so that the oversights that were found during 
this discussion will not be missed in future audits.



ACTION Kathleen: After new audit statement has been received, start a 
second round of discussion for CFCA's root inclusion request.



Does that sound reasonable?

Kathleen








_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy























					Reply via email to