Re: Root Store Policy Suggestion

On Thu, Jan 28, 2021 at 1:32 PM Burton wrote: > Hi Ryan, > > The answer to your questions. > > A remediation plan is only useful in cases of slight CA non-compliance to > the rules set forth by the root store policy. > > A remediation plans in cases of slight CA non-compliance provides >

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

On Sun, Jan 24, 2021 at 11:33 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > All, > > Based on the comments received, I am inclined to clarify the proposed > language under Issues #154 and #187 with reference to a CA's Bugzilla > compliance bugs rather

Re: Root Store Policy Suggestion

On Thu, Jan 28, 2021 at 7:33 PM Ryan Sleevi wrote: > > > On Thu, Jan 28, 2021 at 1:32 PM Burton wrote: > >> Hi Ryan, >> >> The answer to your questions. >> >> A remediation plan is only useful in cases of slight CA non-compliance to >> the rules set forth by the root store policy. >> >> A

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Jan 28, 2021 at 3:05 PM Ben Wilson wrote: > Thanks. My current thinking is that we can leave the MRSP "as is" and > that we write up what we want in > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, > which is, as you note, information about members of the audit

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Thanks. My current thinking is that we can leave the MRSP "as is" and that we write up what we want in https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, which is, as you note, information about members of the audit team and how individual members meet #2, #3, and #6. On

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Jan 28, 2021 at 1:43 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On second thought, I think that Mozilla can accomplish what we want without > modifying the MRSP > < >

Re: Summary of Camerfirma's Compliance Issues

Just to build on what Ryan said, and to clarify any confusion around the scope of Chrome’s action here - Chrome is no longer accepting Camerfirma certificates that are specifically used for *TLS server authentication* for websites. Our planned action is related to the certificates Chrome uses

Re: Root Store Policy Suggestion

Hi Ryan, The answer to your questions. A remediation plan is only useful in cases of slight CA non-compliance to the rules set forth by the root store policy. A remediation plans in cases of slight CA non-compliance provides assurance of CA commitment to compliance. A CA under investigation of

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On second thought, I think that Mozilla can accomplish what we want without modifying the MRSP (which says audits MUST be performed by a Qualified Auditor, as defined in the Baseline Requirements

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

Hi Ben, that works fine for me from the ETSI auditors perspective. REM: The ETSI Audit Attestation template requires the auditor to include a full list of Bugzilla compliance bugs – resolved or unresolved – which are relevant for the past audit period. Best regards Clemens