On Thu, Feb 20, 2020 at 4:58 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> We will continue to follow our standard process to adjudicate the issue > regarding failures to provide CA audit statements [1] and we will work > with the impacted CAs throughout this process. Pursuant to this process, > Mozilla will file CA incident bugs [2] in Bugzilla when audit statements > are past due. The CA should respond in such bugs providing their > Incident Report [3] explaining the situation with their audits, > precautions that have been taken and their plan to move forward in > reaching compliance again. I think more guidance is still needed here, and my questions were trying to solicit feedback as to how CAs affected would propose to address this. For example, should the CA produce an audit report with the locations that were examined? Or should they defer the audit report until all locations have been examined? What constitutes sufficient evidence of a location being affected? Similarly, if a CA’s preferred auditors are from a region affected by travel restrictions, but other accredited auditors exist that would be capable, would that be sufficient? If an audit for a region is delayed, but travel in that region becomes no longer affected, at what point is a new audit expected? And how is that decided? These are examples of the questions trying to accommodate this, and it would be good to see more holistic responses about how this *could* be addressed, especially when considering an adversarial model where a CA might opportunistically exploit this or future situations. Presumably, the CA has thought through some of this, as part of their general business continuity / disaster recovery plans, and that’s why I framed the original questions the way I did, to get more transparency about how the CA(s) affected have prepared. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy