Kathleen, Would it make sense to poll auditors with this wording change? The are some on the CABForum mailing list (Wayne could verify) as I suspect it would be more beneficial for auditors themselves to see, agree and above all acknowledge the intent behind the stance you are taking?
Thanks. Sent from my iPhone > On 3 Sep 2014, at 22:24, Kathleen Wilson <kwil...@mozilla.com> wrote: > > I updated this part of the wiki page: > > https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes > > The section is long, so I won't copy it all here. > > The most significant change is the addition of the last sentence in this > paragraph: > > "When egregious mistakes were overlooked by the auditor, or there are a > significant number of oversights, or the auditor did not notice BR compliance > problems with the root or intermediate certificates, then the CA must resolve > the issues and be re-audited. For the re-audit the CA can either get > re-audited by a different auditor, or have the current auditor provide an > immediate plan for correction and compliance, and then present a mid-term > partial audit following that plan. In either case, the auditor must provide > documentation about steps they are taking to avoid making the same mistakes > in future audits." > > Basically, if an auditor intends to continue to audit CAs in Mozilla's > program, then we need assurances from the auditor that the things that were > missed will not be missed in future audits. > > > I will appreciate feedback on this section of the wiki page. > > Thanks, > Kathleen > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
