Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-03-08 Thread Ben Wilson via dev-security-policy
Kathleen and I edited the proposed language ( https://github.com/BenWilson-Mozilla/pkipolicy/commit/a69aa03fb92d1b0c3f74fd560dffefdeed934b45) to now read: "The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: ... 11. all

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-02-15 Thread Jeff Ward via dev-security-policy
On Friday, February 12, 2021 at 10:27:11 AM UTC-6, Ben Wilson wrote: > I'm fine with that suggestion. > On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > >

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-02-12 Thread Ben Wilson via dev-security-policy
I'm fine with that suggestion. On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > 11. all incidents (as defined in section 2.4), including those reported > in

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-02-12 Thread malcol...--- via dev-security-policy
On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > 11. all incidents (as defined in section 2.4), including those reported in > Bugzilla, that were: > * disclosed by the CA or discovered by the auditor, and > * unresolved at any time during the audit period; > > The idea is

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-02-11 Thread Ben Wilson via dev-security-policy
Here is an edit to proposed subparagraph 11 of MRSP section 3.1.4: The publicly-available documentation relating to each audit MUST contain at least the following clearly-labelled information: 11. all incidents (as defined in section 2.4), including those reported in Bugzilla, that were: *

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-01-28 Thread Ryan Sleevi via dev-security-policy
On Sun, Jan 24, 2021 at 11:33 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > > Based on the comments received, I am inclined to clarify the proposed > language under Issues #154 and #187 with reference to a CA's Bugzilla > compliance bugs rather

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-01-28 Thread Clemens Wanko via dev-security-policy
Hi Ben, that works fine for me from the ETSI auditors perspective. REM: The ETSI Audit Attestation template requires the auditor to include a full list of Bugzilla compliance bugs – resolved or unresolved – which are relevant for the past audit period. Best regards Clemens

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2021-01-24 Thread Ben Wilson via dev-security-policy
All, Based on the comments received, I am inclined to clarify the proposed language under Issues #154 and #187 with reference to a CA's Bugzilla compliance bugs rather than "incidents". The existing language in section 2.4 of the MRSP already requires the CA to promptly file an Incident Report

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-11-06 Thread Jeff Ward via dev-security-policy
On Thursday, October 22, 2020 at 1:53:40 PM UTC-5, Ben Wilson wrote: > The purpose of this email is to begin public discussion on the addition of > a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue > #187 in GitHub proposes

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-10-23 Thread Matthias van de Meent via dev-security-policy
On Fri, 23 Oct 2020 at 17:33, Ryan Sleevi wrote: > > On Fri, Oct 23, 2020 at 8:55 AM Matthias van de Meent via dev-security-policy > wrote: >> >> The current MRSP do not bind the requirements on the reporting of >> incidents to the CA that the incident was filed on, but generally to >> CAs. >>

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-10-23 Thread Ryan Sleevi via dev-security-policy
On Fri, Oct 23, 2020 at 8:55 AM Matthias van de Meent via dev-security-policy wrote: > The current MRSP do not bind the requirements on the reporting of > incidents to the CA that the incident was filed on, but generally to > CAs. > > Section 2.4 has the general requirement for a CA to report

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-10-23 Thread Matthias van de Meent via dev-security-policy
On Thu, 22 Oct 2020, 20:53 Ben Wilson via dev-security-policy, wrote: > That proposal is to have section 2.4 read as follows: "If > being audited to the WebTrust criteria, the Management Assertion letter > MUST include all known incidents that occurred or were still > open/unresolved at any time

Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

2020-10-22 Thread Ben Wilson via dev-security-policy
The purpose of this email is to begin public discussion on the addition of a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue #187 in GitHub proposes to require audit reports to list all incidents occurring (or open) during