On 2014-08-13 20:16, Kathleen Wilson wrote:
4) I think we need to formally augment the audit process with software
tools; such as analysis of data of existing sites chaining up to roots
being considered for inclusion. And also run periodically for included
roots.
I think it would be useful if we could at least start with documenting
things that someone external can (try to) look at. Maybe not all of
them can be automated, and such a list would at least be useful to do a
manual check. So some of the things I'm thinking about:
- The checks I already do on the certificates itself. I can of course
add more tests if needed.
- On a collection of certificates we can check things like duplicate
serial number or that it has enough entropy
- That OCSP work.
There are probably others that I'm forgetting.
But I'm also wondering what our policy should be if we can detect
problems. It's probably going to depend on the problem we find. But if
there are problems that we consider that it requires a new audit, maybe
we should also document which one we find so serious?
Do we also need a policy about how fast we would like issues to be
fixed? At which point do we remove a CA that does not comply?
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
