Hey all,

An interesting issue came up recently with audits. Because the Mozilla policy 
includes some requirements that diverge from the BRs, the audit criteria don't 
necessarily cover everything Mozilla cares about. Thus, it's possible to have 
an incident that doesn't show up on an audit. It's also possible that the 
auditor determines the incident is not sufficiently important/risky(?) to 
include it in an audit. For example: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1458024. Auditors aren't 
controlled by the CA and operate independently which means the CA can't dictate 
what goes into the opinion. One solution is to require CAs to list all of the 
incidents that occur during their audit in the management assertion letter. I 
posted an addendum to the management assertion on that thread. Going forward, 
we'll just include it as part of the main body. I need to look into whether I 
can get our existing audit reissued to the appendix is part of the seal as well.

What do you think about just requiring that as part of the Mozilla policy? Ie - 
the management assertion letter must include a list of the incidents 
active/opened during the audit period. Something like that could ensure 
transparency and make sure all incidents are disclosed to the auditor, 
distinguishing the CA's disclosures from the auditors.

Jeremy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to