Here is some draft language to address this issue #155.
https://github.com/BenWilson-Mozilla/pkipolicy/commit/a0457df0f17177844e416e04ba5a4897db41ac5a
It adds a sentence to section 2.4 ("A "qualification" in a WebTrust audit
or a "finding of non-conformity" in an ETSI assessment is also an incident.")
and a new section 2.5 titled "Sanctions":
Mozilla MAY require revocation of those leaf certificates or intermediate
certificates that suffered or that are considered defective because of the
incident. Mozilla expects the timely remediation of the problems that
caused or gave rise to the incident. Mozilla MAY require the CA operator to
submit a plan of action with milestones or additional audits to ensure
remediation and to regain confidence in the CA operator. Multiple incidents
with the same underlying cause, however minor, may lead to sanctions. If a
CA operator has failed to remediate the causes giving rise to an incident,
Mozilla MAY impose sanctions, including but not limited to: adding
certificates to OneCRL; removing trust bits from root certificates; and
removing root certificates from the trust store.
On Sun, Jan 16, 2022 at 5:50 PM Ben Wilson <[email protected]> wrote:
> All,
>
> This email introduces discussion of GitHub Issue #155
> <https://github.com/mozilla/pkipolicy/issues/155> - Describe actions
> Mozilla may take upon receipt of a qualified audit. The list below includes
> enforcement actions that Mozilla might take for any set of non-compliance
> events (not just serious issues discovered from a qualified audit). We
> also need to remain flexible with the actions to be taken, based on the
> circumstances.
>
> - Require revocation of leaf certificates
> - Require revocation of Intermediate CAs
> - Intermediate CA(s) added to One CRL
> - Bugzilla Incident Reporting (Weekly)
> - Point-in-Time audits to show that underlying issues have been fixed
> - Plan of Action and Milestones (with monthly status reports)
> - 60-day Period-of-Time Audits
> - Detailed-controls audit reports
> - Websites trust bit removal
> - Root Removal
>
> See also
> https://wiki.mozilla.org/CA/Maintenance_and_Enforcement#Recurring_Issues
>
> Also, where in the MRSP should we put this new material -- as a new
> Section 3.1.5 under Section 3.1 "Audits"; as new section 7.4 under 7; as a
> new subsection that is part of Section 7.3 (Removals); or as new section
> 2.5 after 2.4 (Incidents)?
>
> Thoughts and suggestions?
>
> Thanks,
>
> Ben
>
>
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYqmEEx6Oz9Xk3QdoPB6mEnvwowGj5vdszPLG2tCpwGBQ%40mail.gmail.com.
