Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-10-22 Thread Ben Wilson via dev-security-policy 
 The purpose of this email is to begin public discussion on the addition of
a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue
#187  in GitHub proposes
to require audit reports to list all incidents occurring (or open) during
the audit period of which the auditor has been made aware or to state that
the auditor is unaware of any incidents.  This is related to Issue #154
 (management assertion
disclosures).  That proposal is to have section 2.4 read as follows:  "If
being audited to the WebTrust criteria, the Management Assertion letter
MUST include all known incidents that occurred or were still
open/unresolved at any time during the audit period."

Proposed language may be found in the following commits:

   -
   
https://github.com/BenWilson-Mozilla/pkipolicy/commit/f6639f503b743aae402dc0f4841dc3dd5ba88753
   -
   
https://github.com/BenWilson-Mozilla/pkipolicy/commit/6c07c44e4db473dc4d34009f1bc955a0e18cb4c1
   -
   
https://github.com/BenWilson-Mozilla/pkipolicy/commit/5dec00e53b4c6361d85af7644660fe185fcf463d

Proposed language for section 3.1.4 is:

"11.  all incidents (as defined in section 2.4) that occurred or were still
open/unresolved at any time during the audit period, or a statement that
the auditor is unaware of any;"

I look forward to your comments, suggestions and discussions.

Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Policy 2.7.1: MRSP Issue #154: Require Management Assertions to list Non-compliance

2020-10-22 Thread Ben Wilson via dev-security-policy 
The purpose of this email is to begin public discussion on an addition to
section 2.4 of the Mozilla Root Store Policy. Issue #154
 in GitHub proposes to
require that management assertions (CA disclosures to auditors) provide
written mention of all incidents occurring (or open) during the audit
period.

Initial draft language can be found here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/bc669d03ba3fb7cb48dc4492d4e8dd52bfd9a943
and here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/5dec00e53b4c6361d85af7644660fe185fcf463d


This issue is a companion to Issue 187
 (Consider requiring audit
reports to list all incidents that occurred during the audit period or
clearly state that the auditor is not aware of any)

Please provide your comments and suggestions in response to this email.

Thanks,

Ben
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy