On Tue, Jun 26, 2018 at 4:29 PM, Pedro Fuentes via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi Ryan, > My comments below. > > El martes, 26 de junio de 2018, 21:12:44 (UTC+2), Ryan Sleevi escribió: > > > > I just want to make sure - the plan is to provide a Period of Time report > > from when the key was created to 1 year after (i.e. 9 May 2017 to 8 May > > 2018)? > > If so, that definitely closes the gap. > > Yes, we are formulating s solution to close the gap. The proposal that we > made to solve the issue is to change the start date of our annual audit > period, so it coincides with the creation of the new Root GC and covers 12 > months after this date, but being in scope the whole certification practice > and the three roots (GA, GB and GC). > > This implies an overlap with the periods already audited, but closes any > perceived gap. > > > Alternatively, a report on the 9 May 2017 to 15 September 2017 period > would also close it. > > This is not appropriate as it would imply having to run two audits, one > for GA+GB and another for GC. The above solution allows us to have a easier > follow-up next year. > To be fair, you can align those periods by having one report prepared for 9 May 2017 to your current audit period, and then include GC in with your normal audit - without having to alter your period. It allows you to maintain your current audit cycle entirely. > Is it too adventurous of me to say that we have a deal? > With a heads up that we'll be looking very closely compared to illustrative reports to understand if any deviations are meaningful and significant, I think that sounds like a way of addressing the uncertainty gap present :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
