Hi again, >Thank you for responding Matthias. > >On Wed, Apr 11, 2018 at 10:52 AM, m.wiedenhorst--- >via dev-security-policy <[email protected]> wrote: > >> >> Hi Wayne >> >>> Can anyone say if an equivalent public-facing >>> report exists for ETSI audits? If so, I think we should require CAs to >>> provide these reports with their root inclusion requests. >> >> ETSI does require reports on key ceremonies (ETSI EN 319 411-1, 6.5.1 g). >> But ETSI does NOT require these reports to be public. >> > Does ETSI ALLOW these reports to be public? > In other words, could Mozilla require CAs to publish them?
Well, on the one hand ETSI does not mandate anything about these reports being public or non-public. Hence it is not required to make them public, but it would not be forbidden either. However, on the other hand in practical almost all key ceremony reports that I have either inspected during audits or even co-signed as the independent key ceremony auditor contained very detailed, internal information about the different steps of the performed ceremony and hence would never ever qualify for publication. Best regards Matthias Wiedenhorst _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
