On Friday, March 20, 2020 at 3:55:08 PM UTC-5, Ryan Sleevi wrote: > On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > My question: What should "location" mean in the above requirement? > > > > The WebTrust Practitioner Guidance offers a reasonable definition: > https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/practitioner-qualification-and-guidance > > CA Processing Locations > All reports issued should list the city, state/province (if applicable), > and country of all physical locations > used in CA operations. This includes data center locations (primary and > alternate sites), registration > authority locations (for registration authority operations performed by the > CA), and all other locations > where general IT and business process controls that are relevant to CA > operations are performed. > > > > For example, if a CA happens to have two facilities in the same city > > that should be audited, how can the audit statement clearly indicate if > > all of that CA's facilities were audited without providing the exact > > physical addresses? > > > We're primarily interested in making sure that the auditor examined /both/ > facilities for the appropriateness of controls. ETSI's lack of rigorous > methodology leaves a lot to be desired here, but it's not difficult to > disambiguate by indicating something like > "Facility 1 in City, State, Country" vs "Facility 2 in City, State, Country" > or > "Primary Facility in City, State, Country" vs "Disaster Recovery Facility > in City, State, Country" > > (adjusted as appropriate)
Shortly before the COVID-19 pandemic, members of the WebTrust Task Force reviewed this guidance and had discussion focused on whether our reports were providing too much information in a publicly available report as to the operations of a CA. Practitioners have been getting questioned in the past by CAs as to why such specific information should be disclosed to the level of city and state for the location of its operations. It is a good point as certainly not all CAs provide this information freely to all of their employees, let alone outsiders. This is especially true with the larger and more complex CAs. For the more complex CAs, I can envision another Attachment in the audit report, similar to the thumbprint attachment, that lists the locations in a manner that Jeremy suggests that protects the physical location to some degree, yet provides the users of the report enough information to know what was able to be covered. That could be part of our guidance, which of course is jus t that - guidance. Having our guidance adjusted in this manner would certainly help drive consistency that would be helpful to the CABF. I am sure there will be variations in reports, however, as guidance is non-authoritative for AICAP and CPA Canada. As far as the term "CA facility", I'd like to get thoughts from this group as to what that includes. For instance, while a facility hosting an active HSM with CA private keys is a certainly a "CA facility", would you also include in this definition things like a bank safe deposit box that stores a deactivated and encrypted copy of a private key a CA facility? Would you expect this level of information disclosed in an audit report? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
