Full disclosure - this was not my idea, but I thought it was a really good one and worth bringing up here.
-----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Jeremy Rowley via dev-security-policy Sent: Wednesday, August 21, 2019 10:46 PM To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Auditor letters and incident reports Hey all, An interesting issue came up recently with audits. Because the Mozilla policy includes some requirements that diverge from the BRs, the audit criteria don't necessarily cover everything Mozilla cares about. Thus, it's possible to have an incident that doesn't show up on an audit. It's also possible that the auditor determines the incident is not sufficiently important/risky(?) to include it in an audit. For example: https://bugzilla.mozilla.org/show_bug.cgi?id=1458024. Auditors aren't controlled by the CA and operate independently which means the CA can't dictate what goes into the opinion. One solution is to require CAs to list all of the incidents that occur during their audit in the management assertion letter. I posted an addendum to the management assertion on that thread. Going forward, we'll just include it as part of the main body. I need to look into whether I can get our existing audit reissued to the appendix is part of the seal as well. What do you think about just requiring that as part of the Mozilla policy? Ie - the management assertion letter must include a list of the incidents active/opened during the audit period. Something like that could ensure transparency and make sure all incidents are disclosed to the auditor, distinguishing the CA's disclosures from the auditors. Jeremy _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy