All,
I have begun receiving questions about the Audit Letter Validation (ALV)
results in CCADB Audit Cases, so here is some information about it.
CAs and Root Store Operators who are logged into the CCADB will find in
the Audit Case page a button called "Audit Letter Validation (ALV)". You
can click on this button, even after an Audit Case is closed. You will
get a page with title "Audit Letter Validation Results", which will list
the audit statement URLs, which root certificates were indicated to be
in scope of the audit statements (via Root Cases), and a list of the
resulting errors returned by ALV. After the results return, you can
click on the "Print Report" button to get a summary.
ALV is a program provided by Microsoft that automatically parses audit
statements, looking for specific information and comparing the
information provided in the Audit Cases and corresponding Root Cases
with the information in the provided audit statements. The audit
statements must be in PDF format, and it is preferred that they are
text-based instead of image-based. Though ALV does also attempt to parse
images.
A few things to note:
1) ALV is still in testing phase, so our Audit Case process does not
currently require CAs to click on the button and resolve all errors. Us
root store operators (Karina and I) are using each Audit Case to test
and provide feedback to the ALV team.
2) ALV still has some bugs that the Microsoft team are working on, such
as only looking for the SHA-256 Fingerprints in an audit statement if
the Root Case indicated the audit statement applies to that root cert.
3) We still need to figure out the clean/qualified part of ALV -- want
to fail when the audit statement has modified opinions or such. But want
to pass when no problems noted. The point is to inform root store
operators when we need to look more closely at an audit statement, and
record a comment about problems that were noted by the auditors.
4) When we feel that ALV is ready for CAs, we plan to update the Audit
Case process to require CAs to click on the ALV button and resolve or
explain all resulting errors before they will submit their Audit Cases
to us root store operators for final review.
5) After we get ALV working well for root certs, we plan to also use it
for intermediate certificates.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy