What about issues other than audits? For example, with certain locations closing, key ceremonies may become impossible, leading to downed CRLs/OCSP for intermediates. There's also a potential issue with trusted roles even being able to access the data center if something goes down and Sub CAs can't be revoked. Should that be mentioned, requiring CAs to file an incident report as soon as the event becomes likely?
For the location issue, I think including the locations audited and the locations not audited (to the full criteria) as an emphasis of matter would be helpful. So maybe an emphasis like we audited the offices in x, y, and z. Office z was inaccessible to evaluate criteria 1-n. It give you the list of locations and where there were issues in getting access due t o he emergency. Same city is harder. For example, we have two locations in Utah. You could say Utah office 1 and Utah office 2 to obfuscate the information a little. Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Kathleen Wilson via dev-security-policy Sent: Friday, March 20, 2020 2:07 PM To: Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic All, I will greatly appreciate your ideas about the following. In the Minimum Expectations section in https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay I added: "" * Both ETSI and WebTrust Audits must: ** Disclose each location that was included in the scope of the audit, as well as whether the inspection was physically carried out in person. "" My question: What should "location" mean in the above requirement? The problem is that we require public-facing audit statements, so I do not want sensitive or confidential information in the audit statements, such as the exact physical addresses of CA Operations and root cert private key storage. What information could be added to audit statements to give us a clear sense about which CA facilities were and were not audited? For example, if a CA happens to have two facilities in the same city that should be audited, how can the audit statement clearly indicate if all of that CA's facilities were audited without providing the exact physical addresses? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
