On Thu, Mar 29, 2018 at 8:57 AM, Ryan Sleevi <[email protected]> wrote:
> > I'm not fully sure I understand the proposal here. > > I would think that, for all roots created since 2012, the expectation > is that there is an unbroken series of audits, going from a Point in Time > audit (of the policies and infrastructure) to a Root Key Generation > Ceremony attestation (under the policies and practices) to a Period of Time > audit, with the issuance of any supporting infrastructure appearing between > the RKGC and the PoT and covered by the PoT audit. > > This expectation apparently isn't clear given the numerous inclusion requests - for roots created before and after 2012 - we're seen that are lacking historic audits - Japan GPKI and ComSign for instance. I wasn't thinking about requiring the RKGC audit report as part of our inclusion process, but we probably should (assuming those reports aren't confidential). Does that match your intent? Assuming I did not botch the audit timing > issues here > > I think so. My intent is to make it clear that roots must meet our audit requirements even before they are included, and I'm open to suggestions on the best way to achieve that in our policy. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
