Hi Kathleen, This is a good idea, and I like the phased-in approach. The mapping exercise is similar to how other communities evaluate inclusion requests and makes it more apparent how the CA is complying with the various Mozilla requirements. An extension on this could be to have CAs annually file an updated mapping with their WebTrust audit. That way it's a reminder that the CA needs to notify Mozilla of changes in their process and keeps the CAs thinking about updating practices to stay in-line with the baseline requirements. Plus, a practice like that would provide better notice to the public on CA policy changes and how CAs are responding to new threats.
Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Kathleen Wilson via dev-security-policy Sent: Wednesday, March 29, 2017 11:55 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: DRAFT - BR Self Assessments All, As mentioned in the GDCA discussion[1], I would like to add a step to Mozilla's CA Inclusion/Update Request Process[2] in which the CA performs a self-assessment about their compliance with the CA/Browser Forum's Baseline Requirements. A draft of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPz ftuAuNQ/edit?usp=sharing Here's how I am considering introducing this new step. Of course, this only applies to CAs who are requesting the Websites trust bit. + For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion. + For CAs currently in the Information Verification phase, I would ask them to perform this BR Self Assessment before we would continue with Information Verification. + For new requests, we would have the BR Self Assessment be the very first step. I would greatly appreciate your feedback on adding this step to the root inclusion/update process, the wiki page draft, and the template. Thanks, Kathleen [1] https://groups.google.com/d/msg/mozilla.dev.security.policy/kB2JrygK7Vk/Kk7L e2F7CQAJ [2] https://wiki.mozilla.org/CA _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy