On 11/13/20 1:43 PM, Ryan Sleevi wrote:
In this regard, the principles from Mozilla's 1.0 Certificate Policy
provide a small minimum, along with some of the language from, say, the
FPKI, regarding technical competencies. The basis here is simply for the
auditor to *disclose* why they believe they meet the criteria or objectives
set. This avoids the need to address part of your questions (e.g. "How do
auditors apply to be considered qualified auditors"), because it leaves the
current policies and presumptions in place, but introduces the disclosure
requirement for why the auditor is relevant and reliable for the report.


I think it is reasonable to update section 3.2 of Mozilla's Root Store Policy in v2.7.1 to re-add information that appears to have been lost during the efforts to remove duplication with the BRs. And we could consider adding some incremental changes to improve transparency and clarify expectations regarding auditor experience.

For example, we could begin by updating section 3.2 to the following, which is a combination of the versions 2.7 and 2.4.1 (https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md) of Mozilla's Root Store Policy. And then see if there are incremental updates to this that will improve transparency while keeping the audit statements that we add to the CCADB as fully public-facing documents.

===

3.2 Auditors

Mozilla requires that audits MUST be performed by a competent, independent, qualified party.

The burden is on the CA to prove that it has met the below requirements. However the CA MAY request a preliminary determination from us regarding the acceptability of the criteria and/or the competent, independent, qualified party or parties by which it proposes to meet the requirements of this policy.

By "competent party" we mean a person or other entity who is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant government agency) or for whom there is sufficient public information available to determine that the party is competent to judge the CA’s conformance to the stated criteria. In the latter case the "public information" referred to SHOULD include information regarding the party’s: - knowledge of CA-related technical issues such as public key cryptography and related standards; - experience in performing security-related audits, evaluations, or risk analyses; and
- honesty and objectivity.

By "independent party" we mean a person or other entity who is not affiliated with the CA as an employee or director and for whom at least one of the following statements is true:
- the party is not financially compensated by the CA;
- the nature and amount of the party’s financial compensation by the CA is publicly disclosed; or - the party is bound by law, government regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA.

By "qualified party" we mean a person or other entity who meets the requirements of section 8.2 of the Baseline Requirements. If a CA wishes to use auditors who do not fit the definition in section 8.2 of the Baseline Requirements, they MUST receive written permission from Mozilla to do so in advance of the start of the audit engagement. Mozilla will make its own determination as to the suitability of the suggested party or parties, at its sole discretion.

==

Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to