On 9/2/14, 4:29 PM, Kathleen Wilson wrote:
I propose to close this discussion with the following action items:
I will take the lack of response to mean that everyone is OK with this
proposal.
However, as mentioned in a different discussion thread, the wiki page
has been updated. So I will update the PwC action item to remove the "if".
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes
==
When egregious mistakes were overlooked by the auditor, or there are a
significant number of oversights, or the auditor did not notice BR
compliance problems with the root or intermediate certificates, then the
CA must resolve the issues and be re-audited. For the re-audit the CA
can either get re-audited by a different auditor, or have the current
auditor provide an immediate plan for correction and compliance, and
then present a mid-term partial audit following that plan. In either
case, the auditor must provide documentation about steps they are taking
to avoid making the same mistakes in future audits. If the auditor fails
to assure Mozilla that they have corrected the deficiencies in their
auditing process, then their standing as a trusted auditor for the
Mozilla root program may be jeopardized.
==
I am now closing this discussion regarding CFCA's root inclusion request.
The following action items will be tracked in the bug.
ACTION CFCA: State (in the bug) CFCA's plan for remediation of all of
the issues noted in this discussion.
ACTION CFCA: Decide if CFCA will be re-audited by the same auditor, or
by a different auditor. And get re-audited.
ACTION PwC: Provide a plan to improve PwC audits so that the oversights
that were found during this discussion will not be missed in future PwC
audits.
ACTION Kathleen: After the new audit statement has been received, start
a second round of discussion for CFCA's root inclusion request.
Any further follow-up on this request should be added directly to the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=926029
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy