It has been suggested that I need to communicate to CAs that there will
be consequences if their audit statements do not meet Mozilla’s
requirements, so how about if I add the following to the November CA
Communication?
~~
As stated in Mozilla’s April 2017 CA Communication[1] and Mozilla’s Root
Store Policy[2, 3] audit statements/letters must meet the following
requirements or Mozilla will reject the audit statements. And CAs
without proper and current audit statements will be put on notice and
potentially removed from Mozilla’s Root Store.
Additionally, audit statements must be provided in English from now on.
As a reminder, here is what Mozilla’s Root Store Policy[2, 3] currently
says:
“Full-surveillance period-of-time audits MUST be conducted and updated
audit information provided no less frequently than annually. Successive
audits MUST be contiguous (no gaps).
....
The publicly-available documentation relating to each audit MUST contain
at least the following clearly-labelled information:
- name of the company being audited;
- name and address of the organization performing the audit;
- Distinguished Name and SHA256 fingerprint of each root and
intermediate certificate that was in scope;
- audit criteria (with version number) that were used to audit each of
the certificates;
- a list of the CA policy documents (with version numbers) referenced
during the audit;
- whether the audit is for a period of time or a point in time;
- the start date and end date of the period, for those that cover a
period of time;
- the point-in-time date, for those that are for a point in time;
- the date the report was issued (which will necessarily be after the
end date or point-in-time date); and
- For ETSI, a statement to indicate if the audit was a full audit, and
which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+,
LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2
(Requirements for trust service providers).
“
The above listed information MUST be provided by the auditor in each
audit statement or its accompanying letter. If the information is
provided in an accompanying letter, then the pdf file that is submitted
to Mozilla must contain BOTH the audit statement and the letter.
Please indicate your CA’s understanding that each audit statement/letter
provided to Mozilla must be in English and must meet the requirements of
Mozilla’s Root Store Policy, specifically stating the information listed
above. Otherwise Mozilla will reject the audit statement, and put the CA
on notice for being out of compliance, which may result in the CA’s root
certificate(s) being removed from our program.
[1]
https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00018,Q00032
[2]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#audit-parameters
[3]
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#public-audit-information
~~
As always, I will appreciate your thoughtful and constructive feedback
on this suggested addition to the draft of theNovember CA Communication.
Thanks,
Kathleen