Topic to discuss [1]:
“(D3) Make the timeline clear about when the audit statements and
disclosure has to happen for new audited/disclosed subCAs.
Section 10 of the Inclusion Policy says:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
“The CA with a certificate included in Mozilla’s CA Certificate Program
MUST disclose this information before any such subordinate CA is allowed
to issue certificates.”
Additionally, section 8.1 of version 1.3 of the Baseline Requirements
specifies when the audits must occur: “before issuing Publicly-Trusted
Certificates, the CA SHALL successfully complete a point-in-time
readiness assessment performed in accordance with applicable standards
under one of the audit schemes listed in Section 8.1. The point-in-time
readiness assessment SHALL be completed no earlier than twelve (12)
months prior to issuing Publicly-Trusted Certificates and SHALL be
followed by a complete audit under such scheme within ninety (90) days
of issuing the first Publicly-Trusted Certificate.”
What further clarification needs to be added to Mozilla’s CA Certificate
Policy to make it more clear when the audit statements and disclosure
has to happen for new subCAs?
As always, I will appreciate your thoughtful and constructive input into
this discussion.
Kathleen
PS: Note for CAB Forum folks: I think there are several references to
section 8.1 throughout version 1.3 of the BRs that should actually be
references to section 8.4 (the section that lists the audit schemes).
[1]
https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Proposed_Changes_That_Need_To_Be_Discussed
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
