Mozilla began requiring BR audits for roots in our program in 2013 [1], but we have a vague policy statement in section 3.1 regarding audit requirements prior to inclusion:
Before being included and periodically thereafter, CAs MUST obtain certain > audits… > BR section 8.1 contains the following paragraph: If the CA does not have a currently valid Audit Report indicating > compliance with one of the audit schemes listed in Section 8.1, then, > before issuing Publicly-Trusted Certificates, the CA SHALL successfully > complete a point-in-time readiness assessment performed in accordance with > applicable standards under one of the audit schemes listed in Section 8.1. > The point-in-time readiness assessment SHALL be completed no earlier than > twelve (12) months prior to issuing Publicly-Trusted Certificates and SHALL > be followed by a complete audit under such scheme within ninety (90) days > of issuing the first Publicly-Trusted Certificate. > Unfortunately, the definition of Publicly-Trusted Certificates exempts newly created roots from this requirement, and in practice we have seen that violating this requirement does not prevent roots from receiving BR audit statements. We continue to see inclusion requests for roots that do not have an unbroken chain of BR audits back to first issuance. I propose that we add a requirement to Mozilla policy section 3.1.3 for roots to have contiguous audits beginning within 90 days of issuing the first certificate. I chose 90 days to allow some time for issuing subordinate CA certificates and test certificates in preparation for the audit. . This is: https://github.com/mozilla/pkipolicy/issues/113 [1] https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/Mezqdljjerc/nIirftRqAgAJ ------- This is a proposed update to Mozilla's root store policy for version 2.6. Please keep discussion in this group rather than on GitHub. Silence is consent. Policy 2.5 (current version): https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy