All, This email introduces discussion of GitHub Issue #155 <https://github.com/mozilla/pkipolicy/issues/155> - Describe actions Mozilla may take upon receipt of a qualified audit. The list below includes enforcement actions that Mozilla might take for any set of non-compliance events (not just serious issues discovered from a qualified audit). We also need to remain flexible with the actions to be taken, based on the circumstances.
- Require revocation of leaf certificates - Require revocation of Intermediate CAs - Intermediate CA(s) added to One CRL - Bugzilla Incident Reporting (Weekly) - Point-in-Time audits to show that underlying issues have been fixed - Plan of Action and Milestones (with monthly status reports) - 60-day Period-of-Time Audits - Detailed-controls audit reports - Websites trust bit removal - Root Removal See also https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Recurring_Issues Also, where in the MRSP should we put this new material -- as a new Section 3.1.5 under Section 3.1 "Audits"; as new section 7.4 under 7; as a new subsection that is part of Section 7.3 (Removals); or as new section 2.5 after 2.4 (Incidents)? Thoughts and suggestions? Thanks, Ben -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8%3D9_y%3Dg-Qmj2Ns9fN__d%2BGjJCCB7J--%2Bd2mOR4fg44g%40mail.gmail.com.
