Re: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

2020-11-06 Thread Kathleen Wilson via dev-security-policy
>> For this MRSP Issue #152 update to v2.7.1, I propose that we make each >> occurrence of "capable of issuing EV certificates" link to >> https://wiki.mozilla.org/CA/EV_Processing_for_CAs#EV_TLS_Capable In the definition of EV TLS Capable, I'd move the last bullet up to the top. Done.

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Ryan Sleevi via dev-security-policy
On Fri, Nov 6, 2020 at 6:08 PM Dimitris Zacharopoulos via dev-security-policy wrote: > Can other people, except Ryan, follow this thread? I certainly can't. Too > much information, too much text, too many assumptions, makes it impossible > to meaningfully participate in the discussion. These

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Dimitris Zacharopoulos via dev-security-policy
Can other people, except Ryan, follow this thread? I certainly can't. Too much information, too much text, too many assumptions, makes it impossible to meaningfully participate in the discussion. ___ dev-security-policy mailing list

Microsec: Misissuance of 2 CISCO VPN server authentication certificates

2020-11-06 Thread Sándor dr . Szőke via dev-security-policy
### INCIDENT REPORT - Misissuance of 2 CISCO VPN server authentication certificates --- >I -- How your CA first became aware of the problem (e.g. via a problem report >submitted to your Problem Reporting Mechanism, a discussion in >mozilla.dev.security.policy, a Bugzilla bug, or internal

RE: Policy 2.7.1: MRSP Issue #152: Add EV Audit exception for Policy Constraints

2020-11-06 Thread Tim Hollebeek via dev-security-policy
In the definition of EV TLS Capable, I'd move the last bullet up to the top. This is because the definition is inherently recursive, and it's easy to miss that if the recursion rule isn't first. For example, I had a question about whether "revoked" meant just the certificate itself, or whether

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Jakob Bohm via dev-security-policy
On 2020-11-06 18:31, Jeff Ward wrote: > ... Audit reports, whether for WebTrust, financial statements, or other forms of engagement reports providing assurance to users of the information, do not include specific audit team members’ names. Simply stated, this desire to include individual

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Ryan Sleevi via dev-security-policy
On Fri, Nov 6, 2020 at 12:00 PM Clemens Wanko via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, hi all, > three things to comment on that: > > 1. How is the EU ETSI audit scheme thought and what is it intended to > provide to Mozilla and the CA/Browser

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Ryan Sleevi via dev-security-policy
On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Audit reports, whether for WebTrust, financial statements, or other forms > of engagement reports providing assurance to users of the information, do > not include specific audit

Re: Policy 2.7.1: MRSP Issue #153: Cradle-to-Grave Contiguous Audits

2020-11-06 Thread Jakob Bohm via dev-security-policy
On 2020-11-05 22:43, Tim Hollebeek wrote: So, I'd like to drill down a bit more into one of the cases you discussed. Let's assume the following: 1. The CAO [*] may or may not have requested removal of the CAC, but removal has not been completed. The CAC is still trusted by at least one public

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-11-06 Thread Jeff Ward via dev-security-policy
On Thursday, October 22, 2020 at 1:53:40 PM UTC-5, Ben Wilson wrote: > The purpose of this email is to begin public discussion on the addition of > a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue > #187 in GitHub proposes

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Jeff Ward via dev-security-policy
On Tuesday, November 3, 2020 at 5:53:52 PM UTC-6, Ben Wilson wrote: > Historically, Mozilla Policy required that CAs "provide attestation of > their conformance to the stated verification requirements and other > operational criteria by a competent independent party or parties with > access to

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-06 Thread Clemens Wanko via dev-security-policy
Hi Ryan, hi all, three things to comment on that: 1. How is the EU ETSI audit scheme thought and what is it intended to provide to Mozilla and the CA/Browser ecosystem? The European scheme of technical standards for CA/TSP developed by ETSI was made and is constantly adopted to integrate