On 12/01/2017 18:12, Gervase Markham wrote:
The current CA policy does not specify when audit reports are due to
Mozilla relative to the end date of the audit period. It only says that
CAs much provide the reports to Mozilla within 30 days of receiving the
report from their auditor.
Peter Bowen proposed some revised and more specific requirements, which
can be read in the issue, and I've taken the opportunity to split the
audit stuff (which is important both for Inclusion and Maintenance) out
of the Inclusion section into its own section.
I've made the changes on a branch; the diff can be seen here:
https://github.com/mozilla/pkipolicy/compare/issue-7
Mostly it involves moving the audit parts from the Inclusion section to
their own section, but then I've added a new bullet (bullet 7) which has
the requirements on dates (a little reworded), plus also one requirement
extracted from elsewhere in the document.
It also means we now have a specific section defining the required
contents for audit reports. Later, we may have other things to add to
that section :-)
This is: https://github.com/mozilla/pkipolicy/issues/7
-------
This is a proposed update to Mozilla's root store policy for version
2.4. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.3 (current version):
https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Notes on the text in that branched section (other than the actual
change discussed here):
- It does not include some other changes under discussion (such as the
new version of the BRs). This may need to be manually reapplied after
merging in the movement of text from the inclusion to the audit
section.
- There is no clause that can formally cover the recent decision by
Mozilla to disqualify a specific auditor in Hong Kong. E.g. something
along the lines that Mozilla may publicly announce at /url/ that
certain parties that match these criteria will not be trusted for
reasons there stated.
- There is no set of non-ETSI audit criteria for e-mail certificates as
trusted by Mozilla Thunderbird.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy