I updated this part of the wiki page:
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes
The section is long, so I won't copy it all here.
The most significant change is the addition of the last sentence in this
paragraph:
"When egregious mistakes were overlooked by the auditor, or there are a
significant number of oversights, or the auditor did not notice BR
compliance problems with the root or intermediate certificates, then the
CA must resolve the issues and be re-audited. For the re-audit the CA
can either get re-audited by a different auditor, or have the current
auditor provide an immediate plan for correction and compliance, and
then present a mid-term partial audit following that plan. In either
case, the auditor must provide documentation about steps they are taking
to avoid making the same mistakes in future audits."
Basically, if an auditor intends to continue to audit CAs in Mozilla's
program, then we need assurances from the auditor that the things that
were missed will not be missed in future audits.
I will appreciate feedback on this section of the wiki page.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy