All, I've modified the proposed change to MRSP section 3.2 so that it would now insert a middle paragraph that would read:
"A Qualified Auditor MUST have relevant IT Security experience, or have audited a number of CAs, and be independent and not conflicted. Individuals have competence, partnerships and corporations do not. Each Audit Report MUST be accompanied by documentation provided to Mozilla of individual auditor qualifications sufficient for Mozilla to determine the competence, experience, and independence of the Qualified Auditor." See https://github.com/BenWilson-Mozilla/pkipolicy/commit/57063dc07f5b753184c94dbf5d0d30d0b9b90789 The basis for further interpretation of the above language would still be section 8.2 of the Baseline Requirements. ("In normal circumstances, Mozilla requires that audits MUST be performed by a Qualified Auditor, as defined in the Baseline Requirements section 8.2"). Section 3.1.4 still remains with a proposed subsection 3 - "name(s) and qualifications of individuals performing the audit, as required by section 3.2." I anticipate that additional guidance for how CAs should submit this information will be made available here on the wiki - https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications. <https://github.com/BenWilson-Mozilla/pkipolicy/commit/57063dc07f5b753184c94dbf5d0d30d0b9b90789> Ben On Thu, Jan 28, 2021 at 2:10 PM Ryan Sleevi <r...@sleevi.com> wrote: > > On Thu, Jan 28, 2021 at 3:05 PM Ben Wilson <bwil...@mozilla.com> wrote: > >> Thanks. My current thinking is that we can leave the MRSP "as is" and >> that we write up what we want in >> https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, >> which is, as you note, information about members of the audit team and how >> individual members meet #2, #3, and #6. >> > > Is this intended as a temporary fix until the issue is meaningfully > addressed? Or are you seeing this as a long-term resolution of the issue? > > I thought the goal was to make the policy clearer on the expectations, and > my worry is that it would be creating more work for you and Kathleen, and > the broader community, because it puts the onus on you to chase down CAs to > provide the demonstration because they didn't pay attention to it in the > policy. This was the complaint previously raised about "CA Problematic > Practices" and things that are forbidden, so I'm not sure I understand the > distinction/benefit here from moving it out? > > I think the relevance to MRSP is trying to clarify whether Mozilla thinks > of auditors as individuals (as it originally did), or whether it thinks of > auditors as organizations. I think that if MRSP was clarified regarding > that, then the path you're proposing may work (at the risk of creating more > work for y'all to request that CAs provide the information that they're > required to provide, but didn't know that). > > If the issue you're trying to solve is one about whether it's in the audit > letter vs communicated to Mozilla, then I think it should be possible to > achieve that within the MRSP and explicitly say that (i.e. not require it > in the audit letter, but still requiring it). > > Just trying to make sure I'm not overlooking or misunderstanding your > concerns there :) > >> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
