On Thursday, October 22, 2020 at 1:53:40 PM UTC-5, Ben Wilson wrote:
> The purpose of this email is to begin public discussion on the addition of 
> a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue 
> #187 <https://github.com/mozilla/pkipolicy/issues/187> in GitHub proposes 
> to require audit reports to list all incidents occurring (or open) during 
> the audit period of which the auditor has been made aware or to state that 
> the auditor is unaware of any incidents. This is related to Issue #154 
> <https://github.com/mozilla/pkipolicy/issues/154> (management assertion 
> disclosures). That proposal is to have section 2.4 read as follows: "If 
> being audited to the WebTrust criteria, the Management Assertion letter 
> MUST include all known incidents that occurred or were still 
> open/unresolved at any time during the audit period." 
> 
> Proposed language may be found in the following commits: 
> 
> - 
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/f6639f503b743aae402dc0f4841dc3dd5ba88753
>  
> - 
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/6c07c44e4db473dc4d34009f1bc955a0e18cb4c1
>  
> - 
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/5dec00e53b4c6361d85af7644660fe185fcf463d
>  
> 
> Proposed language for section 3.1.4 is: 
> 
> "11. all incidents (as defined in section 2.4) that occurred or were still 
> open/unresolved at any time during the audit period, or a statement that 
> the auditor is unaware of any;" 
> 
> I look forward to your comments, suggestions and discussions. 
> 
> Ben

Thanks for bringing this up Ben.  It is important to consider this requirement 
in conjunction with #154 and address them together. It seems reasonable to 
require a CA to disclose all known incidents that are applicable during a given 
period. It would be important, however, to define “known incident” as a 
“verified bug” and exclude items such as bugs closed as a duplicate, invalid, 
etc.  It would also make sense to clarify that an incident should only be 
disclosed once and eliminate duplication when an incident spans two audit 
periods. 

Also keep in mind an auditor typically issues an opinion on management’s 
assertion of its controls. Audit opinions do not make negative assurance 
statements, such as not being aware of any incidents during the period. If the 
CA is required to make this assertion, the auditor’s opinion will consider that 
statement. 

Thanks, 

Jeff
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to