The proposed language includes the requirement for compliance with both the BRs and Mozilla policy, so it's a better fit for the section of our policy titled "Inclusions" than the section titled "Baseline Requirements Conformance". To close out this discussion, I added the proposed language to section 7.1:
https://github.com/mozilla/pkipolicy/commit/55929f58da98a7af08fbf4bc2eb4537991de481b On Wed, Apr 11, 2018 at 11:02 PM, m.wiedenhorst--- via dev-security-policy < [email protected]> wrote: > Hi again, > > >Thank you for responding Matthias. > > > >On Wed, Apr 11, 2018 at 10:52 AM, m.wiedenhorst--- > >via dev-security-policy <[email protected]> wrote: > > > >> > >> Hi Wayne > >> > >>> Can anyone say if an equivalent public-facing > >>> report exists for ETSI audits? If so, I think we should require CAs to > >>> provide these reports with their root inclusion requests. > >> > >> ETSI does require reports on key ceremonies (ETSI EN 319 411-1, 6.5.1 > g). > >> But ETSI does NOT require these reports to be public. > >> > > Does ETSI ALLOW these reports to be public? > > In other words, could Mozilla require CAs to publish them? > > Well, on the one hand ETSI does not mandate anything about these reports > being public or non-public. Hence it is not required to make them public, > but it would not be forbidden either. > > However, on the other hand in practical almost all key ceremony reports > that I have either inspected during audits or even co-signed as the > independent key ceremony auditor contained very detailed, internal > information about the different steps of the performed ceremony and hence > would never ever qualify for publication. > > Based on this feedback, I have decided not to push for a requirement that CAs provide key generation ceremony audit reports at this time. - Wayne _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
