info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.5 Proposal: Require qualified auditors unless agreed in advance
138 views
Skip to first unread message
Gervase Markham
Apr 12, 2017, 5:47:53 AM4/12/17
to mozilla-dev-s...@lists.mozilla.org
Way back when, Mozilla wrote some requirements for auditors which were
more liberal than "be officially licensed by the relevant audit scheme".
This was partly because organizations like CACert, who were at the time
pondering applying for inclusion, might need to use
unofficially-qualified auditors to keep cost down.
This is no longer a live issue, and this exception/expansion causes
confusion and means that we cannot unambiguously require that auditors
be qualified.
Therefore, I propose we switch our auditor requirements to requiring
qualified auditors, and saying that exceptions can be applied for in
writing to Mozilla in advance of the audit starting, in which case
Mozilla will make its own determination as to the suitability of the
suggested party or parties.
Proposed changes:
* Remove sections 3.2.1 and 3.2.2.
* Change section 3.2 to say:
In normal circumstances, Mozilla requires that audits MUST be performed
by a Qualified Auditor, as defined in the Baseline Requirements section 8.2.
If a CA wishes to use auditors who do not fit that definition, they MUST
receive written permission from Mozilla to do so in advance of the start
of the audit engagement. Mozilla will make its own determination as to
the suitability of the suggested party or parties, at its sole discretion.
* Change section 2.3, first bullet, to read:
- Mozilla reserves the right to accept audits by auditors who do not
meet the qualifications given in section 8.2 of the Baseline Requirements.
This is: https://github.com/mozilla/pkipolicy/issues/63
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
more liberal than "be officially licensed by the relevant audit scheme".
This was partly because organizations like CACert, who were at the time
pondering applying for inclusion, might need to use
unofficially-qualified auditors to keep cost down.
This is no longer a live issue, and this exception/expansion causes
confusion and means that we cannot unambiguously require that auditors
be qualified.
Therefore, I propose we switch our auditor requirements to requiring
qualified auditors, and saying that exceptions can be applied for in
writing to Mozilla in advance of the audit starting, in which case
Mozilla will make its own determination as to the suitability of the
suggested party or parties.
Proposed changes:
* Remove sections 3.2.1 and 3.2.2.
* Change section 3.2 to say:
In normal circumstances, Mozilla requires that audits MUST be performed
by a Qualified Auditor, as defined in the Baseline Requirements section 8.2.
If a CA wishes to use auditors who do not fit that definition, they MUST
receive written permission from Mozilla to do so in advance of the start
of the audit engagement. Mozilla will make its own determination as to
the suitability of the suggested party or parties, at its sole discretion.
* Change section 2.3, first bullet, to read:
- Mozilla reserves the right to accept audits by auditors who do not
meet the qualifications given in section 8.2 of the Baseline Requirements.
This is: https://github.com/mozilla/pkipolicy/issues/63
-------
This is a proposed update to Mozilla's root store policy for version
2.5. Please keep discussion in this group rather than on Github. Silence
is consent.
Policy 2.4.1 (current version):
https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
Update process:
https://wiki.mozilla.org/CA:CertPolicyUpdates
Jakob Bohm
Apr 12, 2017, 6:38:08 AM4/12/17
to mozilla-dev-s...@lists.mozilla.org
distrust a specific formally qualified auditor, such as E&Y HK?
> This is: https://github.com/mozilla/pkipolicy/issues/63
>
> -------
>
> This is a proposed update to Mozilla's root store policy for version
> 2.5. Please keep discussion in this group rather than on Github. Silence
> is consent.
>
> Policy 2.4.1 (current version):
> https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md
> Update process:
> https://wiki.mozilla.org/CA:CertPolicyUpdates
>
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
Gervase Markham
Apr 12, 2017, 12:03:20 PM4/12/17
to Jakob Bohm
On 12/04/17 11:37, Jakob Bohm wrote:
> Does this (accidentally?) remove the ability of Mozilla to explicitly
> distrust a specific formally qualified auditor, such as E&Y HK?
Good point. Not sure, but we should make that clear.
> Does this (accidentally?) remove the ability of Mozilla to explicitly
> distrust a specific formally qualified auditor, such as E&Y HK?
Add to the end of that exception sentence ", or refuse audits from
auditors who do."
Gerv
Gervase Markham
Apr 20, 2017, 9:33:11 AM4/20/17
to Jakob Bohm
On 12/04/17 17:02, Gervase Markham wrote:
> Add to the end of that exception sentence ", or refuse audits from
> auditors who do."
Adopted as proposed, with this addition.
> Add to the end of that exception sentence ", or refuse audits from
> auditors who do."
Gerv
0 new messages