MRSP 2.9: Issue #239: Audit Statement Content

579 views
Skip to first unread message

Ben Wilson

unread,
Jun 27, 2023, 11:37:44 AM6/27/23
to dev-secur...@mozilla.org

All,

Section 5.1 of the CCADB Policy https://www.ccadb.org/policy#51-audit-statement-content now specifies required audit letter content very similar to what is currently in section 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed that much of the current language in MRSP § 3.1.4 be removed. GitHib Issue#239However, two items do not appear in the CCADB’s list of required audit content—(1) locations audited or not audited and (2) auditor qualifications.  Therefore, we are proposing the following language for the first paragraph of section 3.1.4.

--- Begin MRSP Edit ---

The publicly-available documentation relating to each audit MUST contain the information required by section 5.1 of the CCADB Policy and the CA locations that were or were not audited. Audit reports must also contain or be accompanied by the name of the lead auditor and qualifications of the team performing the audit, as required by section 3.2.

--- End MRSP Edit ---

See also https://github.com/Mozilla/pkipolicy/compare/bf36841af0686676f0435769db8c641d7d17dfb3..8968d9b6fedc1f94f4afa6a59ce609b759f497e6

Please provide us with your comments or suggestions.

Thanks,

Ben and Kathleen

Pedro Fuentes

unread,
Jun 29, 2023, 3:39:50 AM6/29/23
to dev-secur...@mozilla.org, Ben Wilson
Hi Ben,
I'm a bit puzzled about how to specify the locations that "were not audited".
What does this mean?
Thanks!
Pedro

Ben Wilson

unread,
Jun 29, 2023, 10:44:16 AM6/29/23
to Pedro Fuentes, dev-secur...@mozilla.org
Hi Pedro,
If the CA has two sites, one primary and one secondary, and if the secondary site hasn't been audited during the audit period, then the audit letter should mention that. 
Thanks,
Ben

Pedro Fuentes

unread,
Jun 30, 2023, 3:17:21 AM6/30/23
to dev-secur...@mozilla.org, Ben Wilson, dev-secur...@mozilla.org, Pedro Fuentes
Hi Ben,
Thanks for the clarification, but I think any site that hosts CA operations must be in the scope of the audit.
I can't figure out an scenario as you describe where there's a successful audit report.
Best,
Pedro

Ben Wilson

unread,
Aug 18, 2023, 1:46:15 PM8/18/23
to dev-secur...@mozilla.org
All,
In response to Tim Hollebeek's recent email on this topic (https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/HJDtlQEfUsY/m/1t6s5G2rAgAJ), I have added a reference to CCADB Policy version 1.2.3.  Unless there are additional comments, I am assuming that discussion on this topic can now be closed. Here is a reference to the currently proposed language: https://github.com/BenWilson-Mozilla/pkipolicy/commit/117054ecf1eff757cfebe40d7c952ce1e3fca920.
Thanks,
Ben



Reply all
Reply to author
Forward
0 new messages