The purpose of this email is to begin public discussion on the addition of a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue #187 <https://github.com/mozilla/pkipolicy/issues/187> in GitHub proposes to require audit reports to list all incidents occurring (or open) during the audit period of which the auditor has been made aware or to state that the auditor is unaware of any incidents. This is related to Issue #154 <https://github.com/mozilla/pkipolicy/issues/154> (management assertion disclosures). That proposal is to have section 2.4 read as follows: "If being audited to the WebTrust criteria, the Management Assertion letter MUST include all known incidents that occurred or were still open/unresolved at any time during the audit period."
Proposed language may be found in the following commits: - https://github.com/BenWilson-Mozilla/pkipolicy/commit/f6639f503b743aae402dc0f4841dc3dd5ba88753 - https://github.com/BenWilson-Mozilla/pkipolicy/commit/6c07c44e4db473dc4d34009f1bc955a0e18cb4c1 - https://github.com/BenWilson-Mozilla/pkipolicy/commit/5dec00e53b4c6361d85af7644660fe185fcf463d Proposed language for section 3.1.4 is: "11. all incidents (as defined in section 2.4) that occurred or were still open/unresolved at any time during the audit period, or a statement that the auditor is unaware of any;" I look forward to your comments, suggestions and discussions. Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy