I've updated this subject line for consistency with the other issues. On Tue, Oct 6, 2020 at 2:31 PM Ben Wilson <bwil...@mozilla.com> wrote:
> Here is the first issue for discussion here on the m.d.s.p. list relative > to the next version of the Mozilla Root Store Policy (v.2.7.1). > > #139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are > required even if no longer issuing - Clarify that audits are required until > the CA certificate is revoked, expired, or removed. Related to Issue #153 > <https://github.com/mozilla/pkipolicy/issues/153>. > > Seven (7) comments are listed so far for this issue in GitHub, including > discussion re: whether auditors can provide reports when a CA isn't being > used to issue certificates. > > I made an initial attempt to address this with some language in line 272 > in the following commit in my GitHub repository - > https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35 > (related changes also appear below in that commit). > > The suggested language would amend the first paragraph of section 3.1.3 of > the MRSP to read, "Full-surveillance period-of-time audits MUST be > conducted and updated audit information provided no less frequently than > *annually* from the time of CA key pair generation until the CA > certificate is no longer trusted by Mozilla's root store or until all > copies of the CA private key have been completely destroyed, as evidenced > by a Qualified Auditor's key destruction report, whichever occurs sooner. > Successive period-of-time audits MUST be contiguous (no gaps)." > > We will need to discuss scope and timing for implementing this requirement. > > Thanks in advance for your contributions and suggestions. > > Ben > > > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy