This email is part of the discussion for the next version of the Mozilla
Root Store Policy (MSRP), version 2.7.1, to be published during of Q1-2021.
For audit delays, we currently require that audit statements disclose the
locations that were and were not audited, but that requirement has not been
incorporated yet into the MRSP. See
provision reads as follows:
Disclose each location (at the state/province level) that was included in
the scope of the audit or should have been included in the scope of the
audit, whether the inspection was physically carried out in person at each
location, and which audit criteria were checked (or not checked) at each
- If the CA has more than one location in the same state/province, then
use terminology to clarify the number of facilities in that state/province
and whether or not all of them were audited. For example: "Facility 1 in
Province", "Facility 2 in Province, Facility 3 in Province" *or*
"Primary Facility in Province", "Secondary Facility in Province", "Tertiary
Facility in Province".
- The public audit statement does not need to identify the type of
- "Facility" includes: data center locations, registration authority
locations, where IT and business process controls of CA operations are
performed, facility hosting an active HSM with CA private keys,
bank deposit box storing a deactivated and encrypted copy of a
It is proposed by Issue #207
> that this language
requiring the disclosure of site locations--audited and unaudited--be made
clearly part of the MSRP by reference to the language above.
A similar method of incorporating by reference has been taken in section
2.4 of the MSRP
with respect to incident reporting and in section 7.1
with requirements for the CA inclusion process.
It is proposed that we add a new subsection 10 to MRSP section 3.1.4
that would require that audit documentation disclose the facility site
locations that were, or were not, examined.
One concern that has been raised previously is that the Baseline
Requirements do not define "facility site location". However, we believe
that the language above at
accomplishes that. We're open to suggestions for re-wording parts of it to
make it even better.
Currently, the audit letter template for WebTrust for CAs references the
site location audited (at the level of specificity that is proposed
above). Over this past year, due to COVID, some ETSI attestation letters
have also explained which sites were and were not checked. This approach
seems to work, and the additional information will be beneficial in the
future as we evaluate the security and trust of PKI service providers.
So, for the page cited above, we intend to move "Minimum Expectations" out
from under "Audit Delay" so that it stands separately as a requirement for
disclosing the facility site location. Then we will also revise MRSP
section 3.1.4 by inserting a new subsection 10 to require "facility site
locations that were, or were not, examined" with a hyperlink to the Minimum
Expectations language cited above.
We look forward to your comments and suggestions.