On Thu, 22 Oct 2020, 20:53 Ben Wilson via dev-security-policy, <dev-security-policy@lists.mozilla.org> wrote: > That proposal is to have section 2.4 read as follows: "If > being audited to the WebTrust criteria, the Management Assertion letter > MUST include all known incidents that occurred or were still > open/unresolved at any time during the audit period." > > [...] > > Proposed language for section 3.1.4 is: > > "11. all incidents (as defined in section 2.4) that occurred or were still > open/unresolved at any time during the audit period, or a statement that > the auditor is unaware of any;" > > I look forward to your comments, suggestions and discussions.
The current MRSP do not bind the requirements on the reporting of incidents to the CA that the incident was filed on, but generally to CAs. Section 2.4 has the general requirement for a CA to report any incident (which is a failure to comply with the MRSP by any CA). So, if a CA is aware of an incident with another CA which is included in the Mozilla root store, that must be reported, and I agree with that. But, the requirements also extend to having to regularly update these incidents, and report these incidents in their audit letter, even if they are not related to that CA. I suggest to update this wording, and clarify these requirements, to only include incidents that occurred within the CA's certificate hierarchy, e.g. "11. all incidents (as defined in section 2.4) that occurred or were still ..." -> "11. all incidents (as defined in section 2.4) _within the CA's trust hierarchy_ that occurred or were still ...". I believe the same comment applies to issue #154, and to the requirements in section 2.4, excluding the requirement to file a report for incidents when discovered. -Matthias _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy