On Tue, June 24, 2014 10:39 am, Kurt Roeckx wrote: > > Should we mandate that the audit should also audit the procedures? > > In my opinion the audit should: > - Check that the CPS complies with all the requirements > - Check that the CPS is being followed.
Well, "Check that the CPS is being followed" is a bit of a can of worms. There's the sampling audit, that ensures, "historically", that the issued certificates have followed the CPS. However, if an auditor does not also perform some observation that the CPS is being followed (e.g.: by having the CA demonstrate the various technical controls being followed), then a CA that has issued no certificates is, from an audit coverage perspective, indistinguishable from a CA with no technical controls. So I think we need both - the sampling (historical) and some practical demonstration. > > I would also like that the software they use should enforce as > much as possible and not rely on humans to check things that can > be automated. That however does not mean it should only be > checked by the software. > > I would also like clear rules on what happens when we detect that > they do not follow the requirements. > > > Kurt > Agreed. As it stands, I'm surprised that the controls in place that led to the issues Erwann detected were sufficient to satisfy the requirements of Sections 3.9 and 6.1 of the WebTrust "Principles and Criteria for Certification Authorities 2.0", which is part of the basis of evaluating the requirements of the "SSL Baseline Requirements Audit Criteria V1.1" At a minimum, it seems like this CA should be moved to the back of the queue for discussion, since it's clear that it's not yet in compliance with the Mozilla policy. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
