On 12/04/2017 11:47, Gervase Markham wrote:
There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some requirements here, in section 3.1.3, mostly relating to dates.The proposal is to add the following bullets to section 3.1.3 ("Public Audit Information"), perhaps reordering the list as appropriate: * name of the company being audited * name and address of the organization performing the audit * DN and SHA1 or SHA256 fingerprint of each root and intermediate certificate that was in scope
Maybe just SHA256, since SHA1 is mostly dead.
* audit criteria (with version number) that were used to audit each of the certificates * For ETSI, a statement that the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers). This is: https://github.com/mozilla/pkipolicy/issues/58 and https://github.com/mozilla/pkipolicy/issues/28 . ------- This is a proposed update to Mozilla's root store policy for version 2.5. Please keep discussion in this group rather than on Github. Silence is consent. Policy 2.4.1 (current version): https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md Update process: https://wiki.mozilla.org/CA:CertPolicyUpdates
Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
