Full disclosure - this was not my idea, but I thought it was a really good one 
and worth bringing up here.

-----Original Message-----
From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On 
Behalf Of Jeremy Rowley via dev-security-policy
Sent: Wednesday, August 21, 2019 10:46 PM
To: mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Auditor letters and incident reports

Hey all,

An interesting issue came up recently with audits. Because the Mozilla policy 
includes some requirements that diverge from the BRs, the audit criteria don't 
necessarily cover everything Mozilla cares about. Thus, it's possible to have 
an incident that doesn't show up on an audit. It's also possible that the 
auditor determines the incident is not sufficiently important/risky(?) to 
include it in an audit. For example: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1458024. Auditors aren't 
controlled by the CA and operate independently which means the CA can't dictate 
what goes into the opinion. One solution is to require CAs to list all of the 
incidents that occur during their audit in the management assertion letter. I 
posted an addendum to the management assertion on that thread. Going forward, 
we'll just include it as part of the main body. I need to look into whether I 
can get our existing audit reissued to the appendix is part of the seal as well.

What do you think about just requiring that as part of the Mozilla policy? Ie - 
the management assertion letter must include a list of the incidents 
active/opened during the audit period. Something like that could ensure 
transparency and make sure all incidents are disclosed to the auditor, 
distinguishing the CA's disclosures from the auditors.

dev-security-policy mailing list

dev-security-policy mailing list

Reply via email to