Although I’m sure every CA has business continuity plans, I think that extended blocked access to every data center they have may not be part of that plan. I’m not sure, but I think if the required shelter’s are in place for long periods you may start to see problems. Early disclosure sounds like the best policy, but I thought the early disclosure requirement may be worth calling out in the Mozilla policy. Then again, that really should be standard procedure at that point.
From: Ryan Sleevi <r...@sleevi.com> Sent: Friday, March 20, 2020 2:57 PM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; Mozilla <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic On Fri, Mar 20, 2020 at 4:15 PM Jeremy Rowley via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: What about issues other than audits? For example, with certain locations closing, key ceremonies may become impossible, leading to downed CRLs/OCSP for intermediates. There's also a potential issue with trusted roles even being able to access the data center if something goes down and Sub CAs can't be revoked. Should that be mentioned, requiring CAs to file an incident report as soon as the event becomes likely? Yes. I think those are, quite honestly, much more concerning, because that's not about a CA's relationship with an external party, but about a CA's own preparedness for disaster. In any event, as with /any/ incident, the sooner it's filed, and the more information and context is provided, the more effective a response can be. For the location issue, I think including the locations audited and the locations not audited (to the full criteria) as an emphasis of matter would be helpful. So maybe an emphasis like we audited the offices in x, y, and z. Office z was inaccessible to evaluate criteria 1-n. It give you the list of locations and where there were issues in getting access due t o he emergency. Yup. That is the model WebTrust is using, and that reasonably meets the objective here of informing relying parties when the auditor faced limitations that should be considered when evaluating their report. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy