info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Policy 2.7.1: MRSP Issue #139: Audits required even if not issuing
70 views
Skip to first unread message
Ben Wilson
Jan 21, 2021, 5:13:00 PM1/21/21
to mozilla-dev-security-policy
I've updated this subject line for consistency with the other issues.
On Tue, Oct 6, 2020 at 2:31 PM Ben Wilson <bwi...@mozilla.com> wrote:
> Here is the first issue for discussion here on the m.d.s.p. list relative
> to the next version of the Mozilla Root Store Policy (v.2.7.1).
>
> #139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153
> <https://github.com/mozilla/pkipolicy/issues/153>.
>
> Seven (7) comments are listed so far for this issue in GitHub, including
> discussion re: whether auditors can provide reports when a CA isn't being
> used to issue certificates.
>
> I made an initial attempt to address this with some language in line 272
> in the following commit in my GitHub repository -
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35
> (related changes also appear below in that commit).
>
> The suggested language would amend the first paragraph of section 3.1.3 of
> the MRSP to read, "Full-surveillance period-of-time audits MUST be
> conducted and updated audit information provided no less frequently than
> *annually* from the time of CA key pair generation until the CA
> certificate is no longer trusted by Mozilla's root store or until all
> copies of the CA private key have been completely destroyed, as evidenced
> by a Qualified Auditor's key destruction report, whichever occurs sooner.
> Successive period-of-time audits MUST be contiguous (no gaps)."
>
> We will need to discuss scope and timing for implementing this requirement.
>
> Thanks in advance for your contributions and suggestions.
>
> Ben
>
>
>
>
On Tue, Oct 6, 2020 at 2:31 PM Ben Wilson <bwi...@mozilla.com> wrote:
> Here is the first issue for discussion here on the m.d.s.p. list relative
> to the next version of the Mozilla Root Store Policy (v.2.7.1).
>
> #139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are
> required even if no longer issuing - Clarify that audits are required until
> the CA certificate is revoked, expired, or removed. Related to Issue #153
> <https://github.com/mozilla/pkipolicy/issues/153>.
>
> Seven (7) comments are listed so far for this issue in GitHub, including
> discussion re: whether auditors can provide reports when a CA isn't being
> used to issue certificates.
>
> I made an initial attempt to address this with some language in line 272
> in the following commit in my GitHub repository -
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35
> (related changes also appear below in that commit).
>
> The suggested language would amend the first paragraph of section 3.1.3 of
> the MRSP to read, "Full-surveillance period-of-time audits MUST be
> conducted and updated audit information provided no less frequently than
> *annually* from the time of CA key pair generation until the CA
> certificate is no longer trusted by Mozilla's root store or until all
> copies of the CA private key have been completely destroyed, as evidenced
> by a Qualified Auditor's key destruction report, whichever occurs sooner.
> Successive period-of-time audits MUST be contiguous (no gaps)."
>
> We will need to discuss scope and timing for implementing this requirement.
>
> Thanks in advance for your contributions and suggestions.
>
> Ben
>
>
>
>
0 new messages