Here is the first issue for discussion here on the m.d.s.p. list relative to the next version of the Mozilla Root Store Policy (v.2.7.1).
#139 <https://github.com/mozilla/pkipolicy/issues/139> - Audits are required even if no longer issuing - Clarify that audits are required until the CA certificate is revoked, expired, or removed. Related to Issue #153 <https://github.com/mozilla/pkipolicy/issues/153>. Seven (7) comments are listed so far for this issue in GitHub, including discussion re: whether auditors can provide reports when a CA isn't being used to issue certificates. I made an initial attempt to address this with some language in line 272 in the following commit in my GitHub repository - https://github.com/BenWilson-Mozilla/pkipolicy/commit/888dc139d196b02707d228583ac20564ddb27b35 (related changes also appear below in that commit). The suggested language would amend the first paragraph of section 3.1.3 of the MRSP to read, "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than *annually* from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store or until all copies of the CA private key have been completely destroyed, as evidenced by a Qualified Auditor's key destruction report, whichever occurs sooner. Successive period-of-time audits MUST be contiguous (no gaps)." We will need to discuss scope and timing for implementing this requirement. Thanks in advance for your contributions and suggestions. Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy