On 2017-04-12 11:47, Gervase Markham wrote:
There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some requirements here, in section 3.1.3, mostly relating to dates.The proposal is to add the following bullets to section 3.1.3 ("Public Audit Information"), perhaps reordering the list as appropriate: * name of the company being audited * name and address of the organization performing the audit * DN and SHA1 or SHA256 fingerprint of each root and intermediate certificate that was in scope
The SHA256 of what? The certificate? There can be multiple certificates for the same CA. It should probably be made more clear, like a hash of the subject DN.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
