Re: Audit Reminder Email Summary
Here's a summary of the audit reminder email that was sent today. Note that the email now tells CAs to provide their annual updates via the Common CA Database, as follows. "Please provide your annual updates via the Common CA Database (CCADB), as described here: https://wiki.mozilla.org/CA:CommonCADatabase#Updating_Audit_Information " Also note that for root certificates with the Websites trust bit enabled, the annual updates must include: 1) Current audit statements 2) Update CP/CPS documents* 3) Test websites (valid, revoked, expired)** * Section 2 of the BRs: The CA SHALL develop, implement, enforce, and *annually update* a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements. ** Section 2.2 of the BRs: The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the *CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired.* Forwarded Message Subject:Summary of March 2017 Audit Reminder Emails Date: Tue, 21 Mar 2017 19:03:58 + (GMT) From: Mozilla CA Program Manager Mozilla: Audit Reminder Root Certificates: SZAFIR ROOT CA2 Standard Audit: https://cert.webtrust.org/SealFile?seal=2018=pdf Audit Statement Date: 2016-03-18 BR Audit: https://cert.webtrust.org/SealFile?seal=2018=pdf BR Audit Statement Date: 2016-03-18 CA Comments: null Mozilla: Audit Reminder Root Certificates: Autoridad de Certificacion Firmaprofesional CIF A62634068 Standard Audit: https://cert.webtrust.org/SealFile?seal=2032=pdf Audit Statement Date: 2016-04-11 BR Audit: https://bug521439.bmoattachments.org/attachment.cgi?id=8809981 BR Audit Statement Date: 2016-08-05 EV Audit: https://bug521439.bmoattachments.org/attachment.cgi?id=8809982 EV Audit Statement Date: 2016-08-05 CA Comments: BR and EV audits have happened, but there are action plans being presented to the auditors. Primary issues are use of UTF8 instead of PrintableString in jurisdictionOfIncorporation, and a recently repealed Spanish law that required privat Mozilla: Audit Reminder Root Certificates: Buypass Class 2 Root CA Buypass Class 3 Root CA Standard Audit: http://www.buypass.no/om-buypass/etsi-102-042/_attachment/33325?_download=true&_ts=14bc532b650 Audit Statement Date: 2016-03-23 BR Audit: http://www.buypass.no/om-buypass/etsi-102-042/_attachment/33325?_download=true&_ts=14bc532b650 BR Audit Statement Date: 2016-03-23 EV Audit: http://www.buypass.no/om-buypass/etsi-102-042/_attachment/33325?_download=true&_ts=14bc532b650 EV Audit Statement Date: 2016-03-23 CA Comments: null Mozilla: Audit Reminder Root Certificates: Cybertrust Global Root DigiCert Assured ID Root G2 DigiCert Assured ID Root G3 DigiCert Global Root G2 DigiCert Global Root G3 DigiCert High Assurance EV Root CA DigiCert Trusted Root G4 Standard Audit: https://cert.webtrust.org/SealFile?seal=2165=pdf Audit Statement Date: 2016-10-24 Standard Audit: https://cert.webtrust.org/SealFile?seal=2020=pdf Audit Statement Date: 2016-06-27 BR Audit: https://cert.webtrust.org/SealFile?seal=2016=pdf BR Audit Statement Date: 2016-03-18 BR Audit: https://cert.webtrust.org/SealFile?seal=2021=pdf BR Audit Statement Date: 2016-06-27 EV Audit: https://cert.webtrust.org/SealFile?seal=2166=pdf EV Audit Statement Date: 2016-10-24 EV Audit: https://cert.webtrust.org/SealFile?seal=2022=pdf EV Audit Statement Date: 2016-04-07 CA Comments: null Mozilla: Audit Reminder Root Certificates: Hongkong Post Root CA 1 Standard Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8732899 Audit Statement Date: 2016-02-26 BR Audit: https://bugzilla.mozilla.org/attachment.cgi?id=8746166 BR Audit Statement Date: 2016-03-31 CA Comments: null Mozilla: Audit Reminder Root Certificates: QuoVadis Root CA 1 G3 QuoVadis Root CA 2 QuoVadis Root CA 2 G3 QuoVadis Root CA 3 QuoVadis Root CA 3 G3 QuoVadis Root Certification Authority Standard Audit: https://cert.webtrust.org/SealFile?seal=2013=pdf Audit Statement Date: 2016-03-28 BR Audit: https://cert.webtrust.org/SealFile?seal=2011=pdf BR Audit Statement Date: 2016-03-28 EV Audit: https://cert.webtrust.org/SealFile?seal=2012=pdf EV Audit Statement Date: 2016-03-28 CA Comments: https://www.wisekey.com/investors_press-release/wisekey-sixwihn-signs-letter-of-intent-to-acquire-quovadis-consolidating-certification-authority-power-for-eidas-and-iot Mozilla: Audit Reminder Root Certificates: SwissSign Gold CA - G2 SwissSign Platinum CA - G2 SwissSign Silver CA - G2 Standard Audit: https://bug343756.bmoattachments.org/attachment.cgi?id=8781268 Audit Statement Date: 2016-03-18 BR Audit: https://bug343756.bmoattachments.org/attachment.cgi?id=8781268 BR Audit
Re: Next CA Communication
On 21/03/17 10:16, Gervase Markham wrote: > On 17/03/17 11:30, Gervase Markham wrote: >> The URL for the draft of the next CA Communication is here: >> https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 > > A few more wording tweaks on the current version: In Action 1, we should replace: "However, if additional methods of domain validation are added to section 3.2.2.4 of the BRs in the future, they will also be permitted." with: "Mozilla expects that all missing methods will be restored to the Baseline Requirements in the near future. Once that happens, we will return to the practice of requiring conformance to the latest version of the BRs." (The CAB Forum PAG is about to resolve itself; happily, all participants have agreed to license their patents under a CAB Forum RF license. It's now just a question of getting a ballot done to add back the missing methods. Yay :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Mozilla Root Store Policy 2.4.1
On 07/03/17 10:07, Ryan Sleevi wrote: >>> - As you reformat this, perhaps it's worth borrowing the Microsoft of >>> approach of mapping trust bits to criteria I have now tried this; thank you for your wording suggestion. Please let me know what you think. I've also updated it to use RFC 2119 language throughout - please tell me if you think I missed any spots. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Next CA Communication
On 17/03/17 11:30, Gervase Markham wrote: > The URL for the draft of the next CA Communication is here: > https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 A few more wording tweaks on the current version: * Action 1 says: "Date must be before June 1, 2017". That gives CAs 2 months to make a CP/CPS update. Do we normally allow a bit more than that for non-urgent updates? Say, 3 months? * "I understand that our CP/CPS documents shall be updated each year" -> "I understand that our CP/CPS documents should be reviewed and the version number incremented each year" * Action 8: "Our current policy is...". In hindsight, this is ambiguous - it could be Mozilla's policy, and the CA is just affirming they understand it. Instead say "The current policy of our CA is...". Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Next CA Communication
On 2017-03-21 12:51, Jakob Bohm wrote: On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Action 6 says: However, a point-in-time audit statement only validates CA’s practices on that date. Therefore, period-of-time audit statements are still required over that timeframe. Audit periods must be less than a year and contiguous. There must not be gaps in audit periods. I'm not sure what it's trying to say. Kurt Reading this in context seems to simply emphasize, in no uncertain terms, that getting a point-in-time audit that a problem has been fixed does not in any way, shape or form replace the need for regular audits for the period that happens to overlap the date of such a clean-up point-in-time audit. I read both of them as "point-in-time", and it didn't make sense to me. Kurt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Next CA Communication
On 21/03/2017 10:09, Kurt Roeckx wrote: On 2017-03-17 16:30, Gervase Markham wrote: The URL for the draft of the next CA Communication is here: https://mozilla-mozillacaprogram.cs54.force.com/Communications/CACommunicationSurveySample?CACommunicationId=a050S00G3K2 Action 6 says: However, a point-in-time audit statement only validates CA’s practices on that date. Therefore, period-of-time audit statements are still required over that timeframe. Audit periods must be less than a year and contiguous. There must not be gaps in audit periods. I'm not sure what it's trying to say. Kurt Reading this in context seems to simply emphasize, in no uncertain terms, that getting a point-in-time audit that a problem has been fixed does not in any way, shape or form replace the need for regular audits for the period that happens to overlap the date of such a clean-up point-in-time audit. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
