MRSP 2.9: Issue #123: Annual Compliance Self-Assessment

[Ben Wilson]

All,

Historically, Mozilla has required that CAs perform an annual Self-Assessment of their compliance with the CA/Browser Forum's TLS Baseline Requirements and Mozilla's Root Store Policy (MRSP).  See https://wiki.mozilla.org/CA/Compliance_Self-Assessment. While there has not been any requirement that CAs submit their self-assessments to Mozilla, several CAs have had it a practice to do so.

We would like to propose that the operators of TLS CAs (those with the websites trust bit enabled) be required to submit these self-assessments annually by providing a link to them in the Common CA Database (CCADB). Therefore, we are proposing a new section 3.4 in the MRSP to read as follows:

---- Begin Draft for MRSP-----

3.4 Compliance Self-Assessments

Effective January 1, 2024, CA operators with CA certificates capable of issuing working TLS server certificates MUST complete a [Compliance Self-Assessment](https://www.ccadb.org/cas/self-assessment) at least every 365 days and provide the Common CA Database with the location where that Compliance Self-Assessment can be retrieved.

----- End Draft for MRSP -----

The effective date of January 1, 2024, is not intended to result in a huge batch of self-assessments being submitted that day. Rather, we would hope that CAs begin providing the locations of their self-assessments as soon as possible by completing the "Self-Assessment" section under the "Root Information" tab of an Add/Update Root Case in the CCADB. (The field for this information already exists in the CCADB under the heading "Self-Assessment".)

Please provide any comments or suggestions.

Thanks,

Ben and Kathleen

[Bruce Morton]

The issue I have with "at least every 365 days" is that I like to put something on the schedule and do it the same month every year. We do this with our annual compliance audit. If we have to provide the self-assessment at least every 365 days, then each year it will be earlier to provide some insurance time to meet the requirement. Is there any way we can provide the requirement to stop this progression? Something like "on an annual basis, but not more longer than 398-days".

[Antti Backman]

I concur to Bruce's consern,

Albeit not directly conserning this discussion, we already have this issue in our hands: https://www.chromium.org/Home/chromium-security/root-ca-policy/#6-annual-self-assessments

But yes, this will be moving target, I would propose that this could be tight together with the end of audit period, which anyhow is hardcoded date. And maybe then similarly to posting audit reports having some fixed amount of days after the end of audit period this should (at least and at latest) be submitted.

Antti Backman

Telia Company

[Ben Wilson]

All,

For submission of self-assessments, what do people think about "at least every 366 days" instead of the original proposal of 365 days?  That gives flexibility for leap years.

Ben

[Ben Wilson]

And, for section 3.3 (CPs and CPSes), I am thinking that the same change should be made from 365 to 366 days, and that item 4 would read, "all CPs, CPSes, and combined CP/CPSes MUST be reviewed and updated as necessary at least once every 366 days."

Ben

[Bruce Morton]

Hi Ben, 

It would be great to get your feedback on my proposal above as I would like to put this into a human process which is kind of analog. The 365/366 proposal means we would need to do it, say every 330 days to ensure we stay compliant. This would mean the schedule would continue to move to the left. It is also frustrating that both Google and Mozilla have a policy on this requirement. In fact, I made a similar comment to Google and got this response, “Subsequent annual submissions must be made no later than 455 calendar days (i.e., one year and ninety days) after the CA owner's earliest appearing root record's “BR Audit Period End Date” for the preceding audit period. CA owners should submit the self assessment to the CCADB at the same time as uploading audit reports.” 

Perhaps a CCADB policy could be proposed to address this requirement consistently.

Thanks, Bruce.

[Ben Wilson]

Thanks, Bruce.  If we took that approach, then the language in MRSP section 3.4 might read, "Effective January 1, 2024, CA operators with CA certificates capable of issuing working TLS server certificates MUST submit their [Compliance Self-Assessment](https://www.ccadb.org/cas/self-assessment) at least every 455 calendar days (i.e. one year and ninety days) after the CA operator's earliest appearing root record's "BR Audit Period End Date" for the preceding audit period. CA operators SHOULD submit the Compliance Self-Assessment to the CCADB at the same time as when they update their audit records. CA operators SHOULD use the latest available version of the CCADB self-assessment template. A CA operator MUST NOT use a version of the self-assessment template that has been superseded by more than 90 calendar days before its submission." 

But when should we make the first self-assessments due?  Should they be due on or before January 1, 2024, and thereafter the proposed formula kicks in?

Thanks,

Ben

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ac337060-ef9b-4fd4-b7af-500c7411635cn%40mozilla.org.

[Bruce Morton]

Google policy states "The initial annual self assessment must be completed and submitted to the CCADB within 90 calendar days from the CA owner's earliest appearing root record “BR Audit Period End Date” that is after December 31, 2022." You could use the same approach.

Note, that for a CA to submit a root to CCADB, they must have a self-assessment. Mozilla also needs a self-assessment for a root inclusion request. So, in many cases the first self-assessment is already done.

[Ben Wilson]

Thanks again.

How about this language?

CA operators with CA certificates capable of issuing working TLS server certificates MUST submit a link to their annual [Compliance Self-Assessment](https://www.ccadb.org/cas/self-assessment) via the CCADB. The initial annual self-assessment must be completed and submitted to the CCADB within 90 calendar days from the CA operator's earliest appearing root record "BR Audit Period End Date" that is after December 31, 2022. CA operators SHOULD submit the link to their self-assessment at the same time as when they update their audit records (within 455 calendar days after the CA operator's earliest appearing root record's "BR Audit Period End Date" for the preceding audit period). CA operators SHOULD use the latest available version of the CCADB self-assessment template. CA operators MUST NOT use a version of the self-assessment template that has been superseded by more than 90 calendar days before their submission.

Ben

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a51dd5f6-245d-4cae-bebd-dada0c761f7en%40mozilla.org.

[Bruce Morton]

Looks good. There might be an issue with the version of the self-assessment template as I don't think the CAs know when it will be updated. Is there a schedule or is this random?

[Ben Wilson]

Thanks, Bruce,

It would be based on the significance of revisions and compliance dates found in the Baseline Requirements and on when the template was updated and approved by the participating root stores.

Ben

To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/a4148e21-57e7-4826-acfe-1a1938987fc7n%40mozilla.org.

[Pedro Fuentes]

I got lost here "CA operators SHOULD submit the link to their self-assessment at the same time as when they update their audit records (within 455 calendar days after the CA operator's earliest appearing root record's "BR Audit Period End Date" for the preceding audit period)."

Typically we'd open an audit case to update the audit records, and then, in parallel, we have 90 days to send the self-assessment, based on the end date of the audit... I don't see then why you add the SHOULD to do it at the same time.

Maybe I missed something...

[Ben Wilson]

Hi Pedro,

I think that the proposed language works with the scenario you present.  In other words, you have 455 days after your previous year's audit end date to submit your self assessment to the CCADB.  This can be done in conjunction with submitting your audit information in the CCADB using the same "Add/Update Root Request case" that you are using for updating your audit information.

Ben

[Pedro Fuentes]

Hello.

OK. I see your point. I was thinking on the end date of the audit report that was uploaded. Chrome's approach is to count 90 days after that, so typically we open the audit case and then, within those 90 days, we send the self-assessment.

But I guess the result is the same.

Txs