On 11/13/20 1:43 PM, Ryan Sleevi wrote:
In this regard, the principles from Mozilla's 1.0 Certificate Policy
provide a small minimum, along with some of the language from, say, the
FPKI, regarding technical competencies. The basis here is simply for the
auditor to *disclose* why they believe they meet the criteria or objectives
set. This avoids the need to address part of your questions (e.g. "How do
auditors apply to be considered qualified auditors"), because it leaves the
current policies and presumptions in place, but introduces the disclosure
requirement for why the auditor is relevant and reliable for the report.
I think it is reasonable to update section 3.2 of Mozilla's Root Store
Policy in v2.7.1 to re-add information that appears to have been lost
during the efforts to remove duplication with the BRs. And we could
consider adding some incremental changes to improve transparency and
clarify expectations regarding auditor experience.
For example, we could begin by updating section 3.2 to the following,
which is a combination of the versions 2.7 and 2.4.1
(https://github.com/mozilla/pkipolicy/blob/2.4.1/rootstore/policy.md) of
Mozilla's Root Store Policy. And then see if there are incremental
updates to this that will improve transparency while keeping the audit
statements that we add to the CCADB as fully public-facing documents.
===
3.2 Auditors
Mozilla requires that audits MUST be performed by a competent,
independent, qualified party.
The burden is on the CA to prove that it has met the below requirements.
However the CA MAY request a preliminary determination from us regarding
the acceptability of the criteria and/or the competent, independent,
qualified party or parties by which it proposes to meet the requirements
of this policy.
By "competent party" we mean a person or other entity who is authorized
to perform audits according to the stated criteria (e.g., by the
organization responsible for the criteria or by a relevant government
agency) or for whom there is sufficient public information available to
determine that the party is competent to judge the CA’s conformance to
the stated criteria. In the latter case the "public information"
referred to SHOULD include information regarding the party’s:
- knowledge of CA-related technical issues such as public key
cryptography and related standards;
- experience in performing security-related audits, evaluations, or risk
analyses; and
- honesty and objectivity.
By "independent party" we mean a person or other entity who is not
affiliated with the CA as an employee or director and for whom at least
one of the following statements is true:
- the party is not financially compensated by the CA;
- the nature and amount of the party’s financial compensation by the CA
is publicly disclosed; or
- the party is bound by law, government regulation, and/or a
professional code of ethics to render an honest and objective judgement
regarding the CA.
By "qualified party" we mean a person or other entity who meets the
requirements of section 8.2 of the Baseline Requirements. If a CA wishes
to use auditors who do not fit the definition in section 8.2 of the
Baseline Requirements, they MUST receive written permission from Mozilla
to do so in advance of the start of the audit engagement. Mozilla will
make its own determination as to the suitability of the suggested party
or parties, at its sole discretion.
==
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy