CCADB - Audit Letter Validation (ALV)

Thu, 15 Feb 2018 10:25:52 -0800 

All,
I have begun receiving questions about the Audit Letter Validation (ALV) results in CCADB Audit Cases, so here is some information about it. 


CAs and Root Store Operators who are logged into the CCADB will find in 
the Audit Case page a button called "Audit Letter Validation (ALV)". You 
can click on this button, even after an Audit Case is closed. You will 
get a page with title "Audit Letter Validation Results", which will list 
the audit statement URLs, which root certificates were indicated to be 
in scope of the audit statements (via Root Cases), and a list of the 
resulting errors returned by ALV. After the results return, you can 
click on the "Print Report" button to get a summary.



ALV is a program provided by Microsoft that automatically parses audit 
statements, looking for specific information and comparing the 
information provided in the Audit Cases and corresponding Root Cases 
with the information in the provided audit statements. The audit 
statements must be in PDF format, and it is preferred that they are 
text-based instead of image-based. Though ALV does also attempt to parse 
images.


A few things to note:


1) ALV is still in testing phase, so our Audit Case process does not 
currently require CAs to click on the button and resolve all errors. Us 
root store operators (Karina and I) are using each Audit Case to test 
and provide feedback to the ALV team.



2) ALV still has some bugs that the Microsoft team are working on, such 
as only looking for the SHA-256 Fingerprints in an audit statement if 
the Root Case indicated the audit statement applies to that root cert.



3) We still need to figure out the clean/qualified part of ALV -- want 
to fail when the audit statement has modified opinions or such. But want 
to pass when no problems noted. The point is to inform root store 
operators when we need to look more closely at an audit statement, and 
record a comment about problems that were noted by the auditors.



4) When we feel that ALV is ready for CAs, we plan to update the Audit 
Case process to require CAs to click on the ALV button and resolve or 
explain all resulting errors before they will submit their Audit Cases 
to us root store operators for final review.



5) After we get ALV working well for root certs, we plan to also use it 
for intermediate certificates.


Thanks,
Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to