On 04/10/2018 04:27, Matt Palmer wrote:
On Wed, Oct 03, 2018 at 09:31:08AM -0700, Wayne Thayer wrote:
On Mon, Oct 1, 2018 at 4:49 AM Matt Palmer via dev-security-policy <
[email protected]> wrote:
...
...
...
Alternately, if the BRs *are*, in fact, sufficiently clear in all respects,
the only other possibility that comes to my mind is that Certigna failed to
correctly interpret the BRs, which is far more concerning -- for Certigna,
at least. It would mean that there could be any number of other, as yet
unidentified, misunderstandings in Certigna's procedures. I would imagine
there would need to be a very comprehensive review of Certigna's processes
and procedures, with a detailed public report of the findings of that
review, for confidence in Certigna to be restored.
I think we have established that the problem was with Certigna's chosen
interpretation of the BRs. I am not clear on how you are proposing to have
a "comprehensive review of Certigna's processes and procedures, with a
detailed public report of the findings of that review" performed. This
sounds like an audit to me?
Not by my understanding of an audit (particularly a WebTrust audit). A
WebTrust audit will validate that the organisation does what it says it
does, but I can't see how it would identify that management has
misinterpreted the BRs, in any but the most egregious of ways. I doubt ETSI
is any better, given that the impression I get is that those audits are even
less closely aligned with the specific requirements of the BRs.
What I'm envisioning in my suggestion is a review of all Certigna's BR-related
processes and procedures, with a view to identifying any potential issues
based on the two factors already identified:
1. That Certigna misinterpreted the BRs to believe that they could
substitute controls they considered to be equivalent for BR-mandated
controls. Since it is entirely possible that this same misinterpretation
may have coloured other aspects of their operations, I would expect a
review of all processes and procedures to identify whether they, too, could
have suffered from the same misinterpretation in their design or
implementation.
2. That Certigna managed to misinterpret the BRs *in general*. Thus, what
other of Certigna's processes and procedures could possibly have been
influenced by other misinterpretations of the BRs? This may require an
external party, or at least someone who wasn't involved in the initial
analysis of the BRs to determine Certigna's processes and procedures, to
ensure that prior misinterpretations are not repeated.
I seem to recall that the bad practice was explicitly called out in
their (old) CP/CPS, which was applicable at the time. Thus any similar
misunderstanding should be discoverable by Mozilla and/or their auditor
comparing the CP/CPS with the BR, Mozilla, National and other applicable
requirements. However this has been a long discussion and some posts
have been expired by the mozilla NNTP server.
...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
