All,
https://wiki.mozilla.org/CA/Audit_Letter_Validation
currently says:
""
Acceptable remediation for an intermediate certificate missing BR audits
may include one or more of the following:
- Have your auditor issue a revised report that includes the
intermediate certificate. Note that if the certificate has been in
existence for multiple past audit periods, this will not be considered a
full remediation unless new reports are supplied for all of those
periods in which the certificate did not appear on the original reports.
- Revoke the intermediate certificate in accordance with BR section
4.9. If your CA decides not to revoke the certificate within the
timeline specified by the BRs, then that is another incident, which must
be addressed in a separate Incident Report.
- If the intermediate certificate is technically capable but not
intended for TLS issuance, and revocation is not imminent, you may
request that Mozilla add it to OneCRL by adding a comment to the
Bugzilla bug with the request and sending email to Mozilla. Note: While
adding the certificate to OneCRL satisfies Mozilla's expectations for
remediation, it may not satisfy other root store programs. You are
advised to seek their guidance on this issue.
""
Questions:
1) Should we require a revised audit statement when it is missing the
SHA256 fingerprint of a cert that has the same Subject + SPKI as other
cert(s) listed in the audit statement?
For this situation, we have been requiring CAs to have their auditor
revise their current audit statements. But the question has come up
about when that is necessary, e.g. what if the CA is about to get their
next audit statement? Do they still need to get their previous audit
statement updated? If not, what would be the cut-off for not requiring
that the current audit statement get updated? Or is it only necessary
that future audit statements list the forgotten certs that have the same
Subject + SPKI as other audited certs?
2) Should we accept a revised audit statement to include the SHA256
fingerprint of a certificate that was not previously listed and does not
have the same Subject + SPKI as other cert(s) listed in the audit statement?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
