Suggestion: "List of CA policy documents _and versions_" Having seen audits that simply say "CPS at [URL]" leaves it ambiguous as to which version was audited. It also raises concerns of a CA forgetting to update their public CP/CPS with whatever the auditor examined.
On Thu, Jan 12, 2017 at 9:12 AM, Gervase Markham <[email protected]> wrote: > The current CA policy does not specify when audit reports are due to > Mozilla relative to the end date of the audit period. It only says that > CAs much provide the reports to Mozilla within 30 days of receiving the > report from their auditor. > > Peter Bowen proposed some revised and more specific requirements, which > can be read in the issue, and I've taken the opportunity to split the > audit stuff (which is important both for Inclusion and Maintenance) out > of the Inclusion section into its own section. > > I've made the changes on a branch; the diff can be seen here: > https://github.com/mozilla/pkipolicy/compare/issue-7 > > Mostly it involves moving the audit parts from the Inclusion section to > their own section, but then I've added a new bullet (bullet 7) which has > the requirements on dates (a little reworded), plus also one requirement > extracted from elsewhere in the document. > > It also means we now have a specific section defining the required > contents for audit reports. Later, we may have other things to add to > that section :-) > > This is: https://github.com/mozilla/pkipolicy/issues/7 > > ------- > > This is a proposed update to Mozilla's root store policy for version > 2.4. Please keep discussion in this group rather than on Github. Silence > is consent. > > Policy 2.3 (current version): > https://github.com/mozilla/pkipolicy/blob/2.3/rootstore/policy.md > Update process: > https://wiki.mozilla.org/CA:CertPolicyUpdates > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
