On Fri, Mar 17, 2017 at 8:30 AM, Gervase Markham via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S000000G3K2 > > Note that this is a _draft_ - the form parts will not work, and no CA > should attempt to use this URL or the form to send in any responses. > > Please provide feedback in this group on whether the questions and > actions are clear, whether they are appropriate, and whether anything > else should or could be added. > > Some of these items are effectively new policy (such as the requirement > to rev CP/CPS version numbers at least yearly); if they survive > unscathed, we will update the policy doc to include them.
"+ Friendly name and SHA1 or SHA256 fingerprint of each root certificate and intermediate certificate covered by the audit scope " I think you unintentionally have this backwards. Certificates in scope for audits are those _issued_ by the CA being audited. So if ExampleCA issues a CA certificate naming ContosoCA as the subject, then that certificate is in scope for Example CA but not for ContosoCA. I would also avoid the term "Friendly name" unless you define it, as that is the name of Microsoft trust list attribute which does not necessarily match anything in the certificate; for example one entry in the Microsoft list is for a CA with1 distinguished name of "CN=Class 1 Primary CA,O=Certplus,C=FR" and friendly name of "WoSign 1999". I would replace this with: + Distinguished name and SHA-256 hash of the SubjectPublicKeyInfo of each certificate issuer covered by the audit scope + Clear indication of which in-scope certificate issuers are Root CAs Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy