Automated Audit Reminder Email Templates

[Kathleen Wilson]

All,

As you know, we've moved the CA Program data from spreadsheets into
SalesForce.

We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements are past due;
meaning that the audit statement date is over a year old.

"30 days past due" = The audit statement date is older than 1 year plus
30 days. For example an audit statement dated December 12, 2013, is now
over 1 year plus 30 days old, so the CA would receive the first
"courtesy reminder" email.


DRAFT Audit Reminder Email Templates

== 30 to 120 days past due ==

Subject: Mozilla Audit Reminder

Dear Certification Authority,

This is a courtesy reminder from Mozilla that updated audit statements
are due for the following root certificates:

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent monthly until the audit
statements have been updated in our records.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==


== 120 to 240 days past due ==

Subject: Mozilla Audit Reminder (over 4 months past due)

Dear Certification Authority,

Updated audit statements are due for the following root certificates. If
you do not respond promptly with updated audit information, a Mozilla
representative will file a Bugzilla Bug and start a discussion in the
mozilla.dev.security.policy discussion forum to record that audit
statements are past due for these root certificates.

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent monthly until the audit
statements have been updated in our records.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==

== 240 days and past due ==

Subject: Mozilla Audit Reminder (over 8 months past due)

Dear Certification Authority,

Your root certificates as listed below are in danger of being removed
from Mozilla's root store, because the audit statements that we have on
record are over 20 months old. If you do not respond promptly with
updated audit information, we will initiate the process of removing
these root certificates.

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties. To
notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent monthly until the audit
statements have been updated in our records or the corresponding root
certificates have been disabled or removed from NSS.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==

I will appreciate your thoughtful and constructive feedback on these
audit reminder email templates.

Kathleen

[Kurt Roeckx]

Hi Kathleen,

On 2015-01-22 22:43, Kathleen Wilson wrote:
> All,
>
> As you know, we've moved the CA Program data from spreadsheets into
> SalesForce.
>
> We are now creating a program that will be run once per month to
> automatically send email to CAs when audit statements are past due;
> meaning that the audit statement date is over a year old.

I think it's great that you want to automate this.

Reading the baseline requirements, they have 3 months after the audit
period ends. Wouldn't it make more sense to do it 30 days after the
audit period ends rather than based on when the audit statement was made?

For example if the last audit period was 1 January 2013 - 31 December
2013 with an audit statement in March 2014, you would only send the
reminder in April 2014 which is after the 3 months time they have. It
would make more sense to send this end January / begin February.

> Here is the audit statement information we have for these root
> certificates.
> Audit: <Standard Audit>
> Audit Statement Date: <Standard Audit Statement Date>
> BR Audit: <BR Audit>
> BR Audit Statement Date: <BR Audit Statement Date>
> EV Audit: <EV Audit>
> EV Audit Statement Date: <EV Audit Statement Date>

Maybe it should also mention the covered period and by when they should
deliver the statement?

The BR say this:
| In the event of a delay greater than three months, and if so requested
| by an Application Software Supplier, the CA SHALL provide an
| explanatory letter signed by the Qualified Auditor.

Maybe something like that should be mentioned in one of the mails?


Kurt

[Ryan Sleevi]

On Thu, January 22, 2015 1:43 pm, Kathleen Wilson wrote:
> All,
>
> As you know, we've moved the CA Program data from spreadsheets into
> SalesForce.
>
> We are now creating a program that will be run once per month to
> automatically send email to CAs when audit statements are past due;
> meaning that the audit statement date is over a year old.
>

> "30 days past due" = The audit statement date is older than 1 year plus
> 30 days. For example an audit statement dated December 12, 2013, is now
> over 1 year plus 30 days old, so the CA would receive the first
> "courtesy reminder" email.
>

<snip>

> I will appreciate your thoughtful and constructive feedback on these
> audit reminder email templates.
>
> Kathleen

Kathleen,

The periods you've chosen for these emails suggests that CAs will be given
significant grace by Mozilla when operating (effectively) unaudited. This
may already be the case today, and if so, would be exceptionally
unfortunate.

I would encourage you and Mozilla to consider a more stringent approach to
updated audits, since they represent a key, necessary (though far from
sufficient) component in ensuring CA's practices are effective and
consistent.

To offer concrete suggestions on this:
- A 90-day until audit expiration reminder:
Because an audit covers a 1y period, it's often several months after the
end of that period before an audit report is released. CAs should be
reminded of the upcoming audit expiration. I picked 90d here out of the
air, but it's effectively the day 1y after the previous end of the audit
period, which is presumably 90 days or so before a new audit would be
released.

- A 30-day until audit expiration reminder:
This is a reminder that the CA has 30 days until 1y after their previous
audit statement.

- 30 days after 1y has elapsed from the previous audit date
(traditionally, this means 15 months that the CA has been issuing
certificates since their last audit period)
Metadata changes in the Mozilla Root Store to indicate that the CA is no
longer in compliance with the Mozilla program. While Firefox may decide to
take no action, this might be surfaced in other Root Store consumers as an
indicator of the dubiousness and non-compliance of the CA. My hope would
be that Firefox would also consider indicating to the user that this CA is
questionable - either on security or process grounds - for failing to
maintain a regular audit.

- Periodic 15d reminders until non-compliance is remedied
There really should be no excuse for such extended non-compliance, and the
frequent reminders should reflect the seriousness of this.

- Within 6mo after the audit, Mozilla takes concrete actions upon the CA


While I certainly don't hold audits to be the highest standard of
excellence, and certainly view Certificate Transparency as a much needed
tool in assessing the technical compliance and competence of CAs, they do
represent a serious investment for CAs, a necessary part of any root
program, and a spot-check of the things CT cannot programatically inspect
(such as physical and network security, training assessments, information
gathering practices, logging, etc). It would be far better for a CA to
publicly disclose an audit with findings, and then work to resolve those
findings, than it is for a CA to be given an extended grace period so that
they may hide - from Mozilla and the public - areas where they have failed
to operate in the public interest from their final audit report.

[Kurt Roeckx]

On Mon, Jan 26, 2015 at 01:25:50PM -0800, Ryan Sleevi wrote:
> To offer concrete suggestions on this:

I'm not sure what you mean exactly, so I'm going to give examples.
Assuming the last audit period was 2013-01-01 to 2013-12-31, and
the audit statement on 2014-03-15.

According to the BR rules they would have 3 months to provide the
new audit report, so the old expires and the new must be received
by 2015-04-01.

> - A 90-day until audit expiration reminder:

So this would be send around the 2015-01-01?

> - A 30-day until audit expiration reminder:

So that would be around the 2015-03-01?

> - 30 days after 1y has elapsed from the previous audit date
> (traditionally, this means 15 months that the CA has been issuing
> certificates since their last audit period)

That would be around 2015-04-15? Or around 2015-05-01?

What would happen in case the previous audit statement was
already received on 2015-01-15? Around 2015-04-01?

> - Periodic 15d reminders until non-compliance is remedied

Between 2015-05-01 and 2015-06-15?

> - Within 6mo after the audit, Mozilla takes concrete actions upon the CA

2015-07-01? Or 2015-09-15?

I'm in favour of expressing everything based on the period that
the audit statement covered and the expiration date (15 months
after the end of the audit period) that goes with it. I suggest
the following instead:
- 3 months, 1 month and 2 weeks before expiration: reminder that
it's going to expire.
- date of expiration and 2 weeks later: saying that it expired
- starting 1 month after expiration, every 2 weeks: adjust the
database to indicate that it expired and remind them that it
expired and if they don't act soon that they will be removed.
- 3 months after expiration: remove trust settings, add reject
settings, send them the last mail.


Kurt

[Kathleen Wilson]

Good questions...

Currently the process for pinging CAs for updated audit statements is
manual. Basically, when I have time I search through the spreadsheet to
see whose audit statements are out-of-date, and then send email to the
corresponding CAs. I have been trying to do this about 4 times per year,
so my records do get out of date. When I ping a CA, I usually find that
they already have a new audit statement, or find that their current
audit was slightly delayed due to scheduling or that they are still
waiting on the auditor for the official statements.

So, I don't think it's a matter of reminding CAs to do the annual audit.
I think it's a matter of reminding CAs to send me their updated audit
statements.

Thanks,
Kathleen

[Kathleen Wilson]

Here's updated templates.

I took specific time frame information out of the templates, so that we
can tweak the time frames by just changing the program (and not the
templates). This will allow us to start out more lenient to account for
the fact that I haven't done the manual process for a while. Then we can
shrink the time frames as we get this automated and better kept up-to-date.

== Audit statements due ==

To: <Alias1 and Alias2. If Alias1 and 2 are blank then the primary POC
and CC POC(s)>

Subject: Mozilla Audit Reminder

Dear Certification Authority,

This is a courtesy reminder from Mozilla that updated audit statements
are due for the following root certificates:

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties.

To notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent regularly until the audit

statements have been updated in our records.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==

== Overdue ==

To: <Alias1 and Alias2 *and* the primary POC and CC POC(s)

Subject: Mozilla: Overdue Audit Statements

Dear Certification Authority,

Updated audit statements are overdue for the following root

certificates. If you do not respond promptly with updated audit
information, a Mozilla representative will file a Bugzilla Bug and start
a discussion in the mozilla.dev.security.policy discussion forum to
record that audit statements are past due for these root certificates.

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other

operational criteria by a competent independent party or parties. A
failure to provide required updates in a timely manner are grounds for
disabling a CA’s root certificates or removing them from Mozilla
products. According to the policy "a timely manner" means within 30 days
of when the appropriate documentation becomes available to the CA.

To notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent regularly until the audit

statements have been updated in our records.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==

== Danger of root being removed ==

To: <Alias1 and Alias2 *and* the primary POC and CC POC(s)

Subject: Mozilla: Your root is in danger of being removed

Dear Certification Authority,

Your root certificates as listed below are in danger of being removed
from Mozilla's root store, because the audit statements that we have on

record are very old. If you do not respond promptly with updated audit

information, we will initiate the process of removing these root
certificates.

- <Root Cert Name 1>
- <Root Cert Name 2>
- <Root Cert Name 3> etc

Here is the audit statement information we have for these root certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>

As per Mozilla's CA Certificate Maintenance Policy, we require that all
CAs whose certificates are distributed with our software products
provide us an updated statement annually of attestation of their
conformance to the stated verification requirements and other

operational criteria by a competent independent party or parties. A
failure to provide required updates in a timely manner are grounds for
disabling a CA’s root certificates or removing them from Mozilla
products. According to the policy "a timely manner" means within 30
days of when the appropriate documentation becomes available to the CA.

To notify us of an updated statement of attestation, send email to
certif...@mozilla.org or submit a bug report into the mozilla.org
Bugzilla system, filed against the "CA Certificates" component of the
"mozilla.org" product. If you are not proactively sending Mozilla your
updated audit statements, please create a process to do so.

This is an automated email that will be sent regularly until the audit

statements have been updated in our records or the corresponding root
certificates have been disabled or removed from NSS.

Regards,
Kathleen Wilson, Module Owner of Mozilla's CA Certificates Module
==

Thanks,
Kathleen

[Kathleen Wilson]

On 1/22/15 1:43 PM, Kathleen Wilson wrote:
> All,
>
> As you know, we've moved the CA Program data from spreadsheets into
> SalesForce.
>
> We are now creating a program that will be run once per month to
> automatically send email to CAs when audit statements are past due;
> meaning that the audit statement date is over a year old.
>

The automated audit reminder program has been tested, and is now in our
production version of SalesForce. For the near future I will tell the
program when to run each month. I plan to run the program early next week.

The audit information I currently have for each root is listed in the
spreadsheet here: https://wiki.mozilla.org/CA:IncludedCAs

Kathleen

[Kathleen Wilson]

I ran the automated audit reminder program in production this morning,
and it sent the corresponding emails to the CAs who have overdue audit
statements according to the data in SalesForce.

I plan to run the program once per month.

Kathleen

[Kathleen Wilson]

FYI... I just ran the audit reminder program again a few moments ago.
I plan to run it on the third Tuesday of each month.

Kathleen

[Kurt Roeckx]

On 2015-01-22 22:43, Kathleen Wilson wrote:

> All,
>
> As you know, we've moved the CA Program data from spreadsheets into
> SalesForce.
>
> We are now creating a program that will be run once per month to
> automatically send email to CAs when audit statements are past due;
> meaning that the audit statement date is over a year old.

What is the status of this? We're now more than those 240 days later
and there still are CAs that don't even have a BR audit yet.


Kurt

[Kathleen Wilson]

On 12/4/15 4:44 AM, Kurt Roeckx wrote:
> On 2015-01-22 22:43, Kathleen Wilson wrote:
>> All,
>>
>> As you know, we've moved the CA Program data from spreadsheets into
>> SalesForce.
>>
>> We are now creating a program that will be run once per month to
>> automatically send email to CAs when audit statements are past due;
>> meaning that the audit statement date is over a year old.
>
> What is the status of this?

The program is run on the 3rd Tuesday of each month, and automated email
is sent to CAs for whom we have audit statements that are over a year old.

The email also notes if they do not have a BR audit statement *and* have
the websites trust bit set.

> We're now more than those 240 days later
> and there still are CAs that don't even have a BR audit yet.
>

Correct. There are still a few CAs who have the websites trust bit set
for their root certs and do not yet have a BR audit statement. Some of
them have the BR audit in progress (had to go through budget approval
process before being able to add another audit), and some are phasing
out those root certs.

Kathleen