Re: CFCA Root Inclusion Request

Thu, 04 Sep 2014 16:15:59 -0700 

On 9/2/14, 4:29 PM, Kathleen Wilson wrote:

I propose to close this discussion with the following action items:
I will take the lack of response to mean that everyone is OK with this proposal. However, as mentioned in a different discussion thread, the wiki page has been updated. So I will update the PwC action item to remove the "if". 
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes
==
When egregious mistakes were overlooked by the auditor, or there are a significant number of oversights, or the auditor did not notice BR compliance problems with the root or intermediate certificates, then the CA must resolve the issues and be re-audited. For the re-audit the CA can either get re-audited by a different auditor, or have the current auditor provide an immediate plan for correction and compliance, and then present a mid-term partial audit following that plan. In either case, the auditor must provide documentation about steps they are taking to avoid making the same mistakes in future audits. If the auditor fails to assure Mozilla that they have corrected the deficiencies in their auditing process, then their standing as a trusted auditor for the Mozilla root program may be jeopardized. 
==


I am now closing this discussion regarding CFCA's root inclusion request.

The following action items will be tracked in the bug.
ACTION CFCA: State (in the bug) CFCA's plan for remediation of all of the issues noted in this discussion.
ACTION CFCA: Decide if CFCA will be re-audited by the same auditor, or by a different auditor. And get re-audited.
ACTION PwC: Provide a plan to improve PwC audits so that the oversights that were found during this discussion will not be missed in future PwC audits.
ACTION Kathleen: After the new audit statement has been received, start a second round of discussion for CFCA's root inclusion request. 

Any further follow-up on this request should be added directly to the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=926029

Thanks,
Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to