On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> My question: What should "location" mean in the above requirement? > The WebTrust Practitioner Guidance offers a reasonable definition: https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/practitioner-qualification-and-guidance CA Processing Locations All reports issued should list the city, state/province (if applicable), and country of all physical locations used in CA operations. This includes data center locations (primary and alternate sites), registration authority locations (for registration authority operations performed by the CA), and all other locations where general IT and business process controls that are relevant to CA operations are performed. > For example, if a CA happens to have two facilities in the same city > that should be audited, how can the audit statement clearly indicate if > all of that CA's facilities were audited without providing the exact > physical addresses? We're primarily interested in making sure that the auditor examined /both/ facilities for the appropriateness of controls. ETSI's lack of rigorous methodology leaves a lot to be desired here, but it's not difficult to disambiguate by indicating something like "Facility 1 in City, State, Country" vs "Facility 2 in City, State, Country" or "Primary Facility in City, State, Country" vs "Disaster Recovery Facility in City, State, Country" (adjusted as appropriate) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy