All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements are past due;
meaning that the audit statement date is over a year old.
"30 days past due" = The audit statement date is older than 1 year plus
30 days. For example an audit statement dated December 12, 2013, is now
over 1 year plus 30 days old, so the CA would receive the first
"courtesy reminder" email.
DRAFT Audit Reminder Email Templates
== 30 to 120 days past due ==
Subject: Mozilla Audit Reminder
Dear Certification Authority,
This is a courtesy reminder from Mozilla that updated audit statements
are due for the following root certificates:
- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc
Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>
As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certifica...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.
This is an automated email that will be sent monthly until the audit
statements have been updated in our records.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==
== 120 to 240 days past due ==
Subject: Mozilla Audit Reminder (over 4 months past due)
Dear Certification Authority,
Updated audit statements are due for the following root certificates. If
you do not respond promptly with updated audit information, a Mozilla
representative will file a Bugzilla Bug and start a discussion in the
mozilla.dev.security.policy discussion forum to record that audit
statements are past due for these root certificates.
- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc
Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>
As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certifica...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.
This is an automated email that will be sent monthly until the audit
statements have been updated in our records.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==
== 240 days and past due ==
Subject: Mozilla Audit Reminder (over 8 months past due)
Dear Certification Authority,
Your root certificates as listed below are in danger of being removed
from Mozilla's root store, because the audit statements that we have on
record are over 20 months old. If you do not respond promptly with
updated audit information, we will initiate the process of removing
these root certificates.
- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc
Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>
As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certifica...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.
This is an automated email that will be sent monthly until the audit
statements have been updated in our records or the corresponding root
certificates have been disabled or removed from NSS.
Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==
I will appreciate your thoughtful and constructive feedback on these
audit reminder email templates.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
