This issue #153, listed here: https://github.com/mozilla/pkipolicy/issues/153, is proposed for resolution with version 2.7.1 of the Mozilla Root Store Policy. It is related to Issue 139 <https://github.com/mozilla/pkipolicy/issues/139> (audits required even if not issuing).
The first paragraph of section 3.1.3 of the MRSP would read: Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than *annually* from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store or until all copies of the CA private key have been completely destroyed, as evidenced by a Qualified Auditor's key destruction report, whichever occurs sooner. Successive period-of-time audits MUST be contiguous (no gaps). Item 5 in the fifth paragraph of section 7.1 of the MRSP (new root inclusions) would read: 5. an auditor-witnessed root key generation ceremony report and contiguous period-of-time audit reports performed thereafter no less frequently than annually; The proposed language can be examined further in the following commits: https://github.com/BenWilson-Mozilla/pkipolicy/commit/0d72d9be5acca17ada34cf7e380741e27ee84e55 https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35 Or here: https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.7.1/rootstore/policy.md Thanks in advance for your comments, Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
