On Fri, Mar 20, 2020 at 4:15 PM Jeremy Rowley via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> What about issues other than audits? For example, with certain locations > closing, key ceremonies may become impossible, leading to downed CRLs/OCSP > for intermediates. There's also a potential issue with trusted roles even > being able to access the data center if something goes down and Sub CAs > can't be revoked. Should that be mentioned, requiring CAs to file an > incident report as soon as the event becomes likely? > Yes. I think those are, quite honestly, much more concerning, because that's not about a CA's relationship with an external party, but about a CA's own preparedness for disaster. In any event, as with /any/ incident, the sooner it's filed, and the more information and context is provided, the more effective a response can be. > > For the location issue, I think including the locations audited and the > locations not audited (to the full criteria) as an emphasis of matter would > be helpful. So maybe an emphasis like we audited the offices in x, y, and > z. Office z was inaccessible to evaluate criteria 1-n. It give you the list > of locations and where there were issues in getting access due t o he > emergency. Yup. That is the model WebTrust is using, and that reasonably meets the objective here of informing relying parties when the auditor faced limitations that should be considered when evaluating their report. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy