I reviewed the associated GitHub commentary on the following change: "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than **annually** until the CA certificate is no longer trusted by Mozilla's root store. Successive audits information provided no less frequently than **annually** from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store or until all copies of the CA private key have been completely destroyed, as evidenced by a Qualified Auditor's key destruction report, whichever occurs sooner."
and I'm having difficulty understanding why there is a new stipulation to allow for key destruction reports to release a CA from the obligation of annual audits for its CA certificates. Is the intent to specify that if the key material and operations for a given CA is transferred to another organization, the obligation to have annual audits for the original organization no longer stands, or is there some other reason for the addition of this language? Thanks, Corey On Thursday, October 15, 2020 at 5:00:49 PM UTC-4, Ben Wilson wrote: > This issue #153, listed here: > https://github.com/mozilla/pkipolicy/issues/153, is proposed for resolution > with version 2.7.1 of the Mozilla Root Store Policy. It is related to Issue > 139 <https://github.com/mozilla/pkipolicy/issues/139> (audits required even > if not issuing). > > The first paragraph of section 3.1.3 of the MRSP would read: > > Full-surveillance period-of-time audits MUST be conducted and updated audit > information provided no less frequently than *annually* from the time of CA > key pair generation until the CA certificate is no longer trusted by > Mozilla's root store or until all copies of the CA private key have been > completely destroyed, as evidenced by a Qualified Auditor's key destruction > report, whichever occurs sooner. Successive period-of-time audits MUST be > contiguous (no gaps). > Item 5 in the fifth paragraph of section 7.1 of the MRSP (new root > inclusions) would read: > > 5. an auditor-witnessed root key generation ceremony report and contiguous > period-of-time audit reports performed thereafter no less frequently than > annually; > > The proposed language can be examined further in the following commits: > > https://github.com/BenWilson-Mozilla/pkipolicy/commit/0d72d9be5acca17ada34cf7e380741e27ee84e55 > > > https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35 > > > Or here: > https://github.com/BenWilson-Mozilla/pkipolicy/blob/2.7.1/rootstore/policy.md > > Thanks in advance for your comments, > > Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
