On 8/26/2014 11:35 AM, Kathleen Wilson wrote: > All, > > I am running into a problem with BR audit statements that list details > about issues that have been found. > > https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements > "...The first BR audit for each CA and subCA may include a reasonable > list of BRs that the CA (or subCA) is not yet in compliance with. ..." > > The problem is that some BR audit statements provide information about > the CA's BR non-conformance that the CA considers to be sensitive (and > non-publishable) information. > > As you know, Mozilla's policy requires public-facing audit statements. > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > "6. ... provide public attestation of their conformance to the stated > verification requirements ..." > > So, I need a way forward that enables the CA to provide the required BR > audit statement without publicly disclosing sensitive information. > > Just brainstorming... > > Would it be OK to accept public-facing BR audit statements that have the > information about the issues redacted? > > In the spreadsheet of included roots, I could add a column to list BR > section numbers that were in the redacted information. > > I will appreciate thoughtful and constructive input on this topic. > > Kathleen >
For X.509 certificates to be trusted, their use, processes, and administration must be transparent. There is no transparency with a redacted audit report. I do not think an audit report with redacted statements satisfies the requirement stated in the last bullet of Section 6 of the Mozilla CA Certificate Inclusion Policy (v.2.2). In this case, complete "public attestation" is missing. With a redacted audit report, the presumption should be that hidden negative information exists that would disqualify the certification authority from having its root certificate in the NSS database if such information were disclosed. I also think that an audit report with redacted statements fails to satisfy Section 4 of the Mozilla CA Certificate Maintenance Policy. Again, any redaction would imply the existence of hidden negative information that would necessitate removal of the affected root certificate from the NSS database if such information were disclosed. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
