On 9/3/2014 2:43 PM, Matt Palmer wrote: > On Wed, Sep 03, 2014 at 02:24:04PM -0700, Kathleen Wilson wrote: >> The most significant change is the addition of the last sentence in >> this paragraph: >> >> "When egregious mistakes were overlooked by the auditor, or there >> are a significant number of oversights, or the auditor did not >> notice BR compliance problems with the root or intermediate >> certificates, then the CA must resolve the issues and be re-audited. >> For the re-audit the CA can either get re-audited by a different >> auditor, or have the current auditor provide an immediate plan for >> correction and compliance, and then present a mid-term partial audit >> following that plan. In either case, the auditor must provide >> documentation about steps they are taking to avoid making the same >> mistakes in future audits." >> >> Basically, if an auditor intends to continue to audit CAs in >> Mozilla's program, then we need assurances from the auditor that the >> things that were missed will not be missed in future audits. > > Would it worth making that explicit, by saying something like, "Failure of > the Auditor to satisfy Mozilla that they have corrected the deficiencies in > their auditing process may jeopardise their standing as a trusted auditor > for the Mozilla root program"? While we on this list understand the > ramifications of not doing so, I'm not sure that an auditor or other person > reading that paragraph would understand the consequences of the auditor not > providing the necessary documentation. > > Personally, I find it rather amusing that we've got a "Quis custodiet ipsos > custodes?" situation with auditors. Kinda makes you wonder if giving > auditing responsibility for technical systems to *accountants* was such a > winning move... > > - Matt >
I strongly agree with Matt Palmer's suggestion. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
