On Thu, January 22, 2015 1:43 pm, Kathleen Wilson wrote: > All, > > As you know, we've moved the CA Program data from spreadsheets into > SalesForce. > > We are now creating a program that will be run once per month to > automatically send email to CAs when audit statements are past due; > meaning that the audit statement date is over a year old. > > "30 days past due" = The audit statement date is older than 1 year plus > 30 days. For example an audit statement dated December 12, 2013, is now > over 1 year plus 30 days old, so the CA would receive the first > "courtesy reminder" email. > <snip>
> I will appreciate your thoughtful and constructive feedback on these > audit reminder email templates. > > Kathleen Kathleen, The periods you've chosen for these emails suggests that CAs will be given significant grace by Mozilla when operating (effectively) unaudited. This may already be the case today, and if so, would be exceptionally unfortunate. I would encourage you and Mozilla to consider a more stringent approach to updated audits, since they represent a key, necessary (though far from sufficient) component in ensuring CA's practices are effective and consistent. To offer concrete suggestions on this: - A 90-day until audit expiration reminder: Because an audit covers a 1y period, it's often several months after the end of that period before an audit report is released. CAs should be reminded of the upcoming audit expiration. I picked 90d here out of the air, but it's effectively the day 1y after the previous end of the audit period, which is presumably 90 days or so before a new audit would be released. - A 30-day until audit expiration reminder: This is a reminder that the CA has 30 days until 1y after their previous audit statement. - 30 days after 1y has elapsed from the previous audit date (traditionally, this means 15 months that the CA has been issuing certificates since their last audit period) Metadata changes in the Mozilla Root Store to indicate that the CA is no longer in compliance with the Mozilla program. While Firefox may decide to take no action, this might be surfaced in other Root Store consumers as an indicator of the dubiousness and non-compliance of the CA. My hope would be that Firefox would also consider indicating to the user that this CA is questionable - either on security or process grounds - for failing to maintain a regular audit. - Periodic 15d reminders until non-compliance is remedied There really should be no excuse for such extended non-compliance, and the frequent reminders should reflect the seriousness of this. - Within 6mo after the audit, Mozilla takes concrete actions upon the CA While I certainly don't hold audits to be the highest standard of excellence, and certainly view Certificate Transparency as a much needed tool in assessing the technical compliance and competence of CAs, they do represent a serious investment for CAs, a necessary part of any root program, and a spot-check of the things CT cannot programatically inspect (such as physical and network security, training assessments, information gathering practices, logging, etc). It would be far better for a CA to publicly disclose an audit with findings, and then work to resolve those findings, than it is for a CA to be given an extended grace period so that they may hide - from Mozilla and the public - areas where they have failed to operate in the public interest from their final audit report. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
