It's still very much a work-in-progress, but I updated the first bullet
point in the "Minimum Expectations" section again.
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
""
Both ETSI and WebTrust Audits should:
- Disclose each location (at the state/province level) that was included
in the scope of the audit or should have been included in the scope of
the audit, whether the inspection was physically carried out in person
at each location, and which audit criteria were checked (or not checked)
at each location.
-- If the CA has more than one location in the same state/province, then
use terminology to clarify the number of facilities in that
state/province and whether or not all of them were audited. For example:
"Facility 1 in Province", "Facility 2 in Province, Facility 3 in
Province" or "Primary Facility in Province", "Secondary Facility in
Province", "Tertiary Facility in Province".
""
TO DO: Clarify the types of CA locations that should be disclosed in the
audit statement. e.g. data center locations, registration authority
locations, where IT and business process controls of CA operations are
performed, facility hosting an active HSM with CA private keys, facility
or bank deposit box storing a deactivated and encrypted copy of a
private key, other?
I will continue to appreciate your feedback on this, and the entire
"Audit Delay" section.
I also filed an issue in GitHub regarding adding this to Mozilla's root
store policy.
https://github.com/mozilla/pkipolicy/issues/207
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
