On Tuesday, December 15, 2020 at 2:41:10 PM UTC-6, Ben Wilson wrote:
> All, 
> 
> This email is part of the discussion for the next version of the Mozilla 
> Root Store Policy (MSRP), version 2.7.1, to be published during of Q1-2021. 
> 
> For audit delays, we currently require that audit statements disclose the 
> locations that were and were not audited, but that requirement has not been 
> incorporated yet into the MRSP. See 
> https://wiki.mozilla.org/CA/Audit_Statements#Minimum_Expectations. That 
> provision reads as follows: 
> 
> Disclose each location (at the state/province level) that was included in 
> the scope of the audit or should have been included in the scope of the 
> audit, whether the inspection was physically carried out in person at each 
> location, and which audit criteria were checked (or not checked) at each 
> location. 
> 
> - If the CA has more than one location in the same state/province, then 
> use terminology to clarify the number of facilities in that state/province 
> and whether or not all of them were audited. For example: "Facility 1 in 
> Province", "Facility 2 in Province, Facility 3 in Province" *or* 
> "Primary Facility in Province", "Secondary Facility in Province", "Tertiary 
> Facility in Province". 
> - The public audit statement does not need to identify the type of 
> Facility. 
> - "Facility" includes: data center locations, registration authority 
> locations, where IT and business process controls of CA operations are 
> performed, facility hosting an active HSM with CA private keys, 
> facility or 
> bank deposit box storing a deactivated and encrypted copy of a 
> private key. 
> 
> It is proposed by Issue #207 
> <https://github.com/mozilla/pkipolicy/issues/207> that this language 
> requiring the disclosure of site locations--audited and unaudited--be made 
> clearly part of the MSRP by reference to the language above. 
> 
> A similar method of incorporating by reference has been taken in section 
> 2.4 of the MSRP 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents>
>  
> with respect to incident reporting and in section 7.1 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#71-inclusions>
>  
> with requirements for the CA inclusion process. 
> 
> It is proposed that we add a new subsection 10 to MRSP section 3.1.4 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#314-public-audit-information>
>  
> that would require that audit documentation disclose the facility site 
> locations that were, or were not, examined. 
> 
> One concern that has been raised previously is that the Baseline 
> Requirements do not define "facility site location". However, we believe 
> that the language above at 
> https://wiki.mozilla.org/CA/Audit_Statements#Minimum_Expectations 
> accomplishes that. We're open to suggestions for re-wording parts of it to 
> make it even better. 
> 
> Currently, the audit letter template for WebTrust for CAs references the 
> site location audited (at the level of specificity that is proposed 
> above). Over this past year, due to COVID, some ETSI attestation letters 
> have also explained which sites were and were not checked. This approach 
> seems to work, and the additional information will be beneficial in the 
> future as we evaluate the security and trust of PKI service providers. 
> 
> So, for the page cited above, we intend to move "Minimum Expectations" out 
> from under "Audit Delay" so that it stands separately as a requirement for 
> disclosing the facility site location. Then we will also revise MRSP 
> section 3.1.4 by inserting a new subsection 10 to require "facility site 
> locations that were, or were not, examined" with a hyperlink to the Minimum 
> Expectations language cited above. 
> 
> We look forward to your comments and suggestions. 
> 
> Sincerely yours, 
> 
> Ben

Hi Ben.  Happy New Year.  I have asked the WebTrust Task Force members to 
provide their comments and Don and I will then provide a more detailed 
response.  I wanted to be sure to get each of the major firms' feedback before 
responding.

Thank you.

Jeff
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to