All,

This post is intended to initiate public discussion on improvements to the
Mozilla Root Store Policy (MRSP) in line with GitHub Issues #270
<https://github.com/mozilla/pkipolicy/issues/270> and #271
<https://github.com/mozilla/pkipolicy/issues/271> (Incident Reporting).
FWIW, the CCADB is working on a somewhat parallel effort with PR #186
<https://github.com/mozilla/www.ccadb.org/pull/186>.

MRSP Section 2.4
<https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents>
has slight differences from the CCADB's Incident Reporting Guidelines
<https://www.ccadb.org/cas/incident-report> (IRGs). These discrepancies
sometimes cause confusion. Therefore, it is proposed that much of the
details in MRSP § 2.4 be stricken and replaced with an explicit
incorporation by reference to the CCADB's IRGs. Similar changes will be
made to the Mozilla Incident Reporting wiki page
<https://wiki.mozilla.org/CA/Responding_To_An_Incident> to ensure
consistency.

Here is the proposed language for section 2.4 of the MRSP:

When a CA operator fails to comply with any requirement of this policy -
whether it be a misissuance, a procedural or operational issue, or any
other variety of non-compliance - the event is classified as an incident
<https://wiki.mozilla.org/CA/Responding_To_An_Incident>. This policy
incorporates by reference the CCADB's Incident Reporting Guidelines
<https://www.ccadb.org/cas/incident-report> (IRGs) as if fully set forth
herein. As such, CA operators MUST report all incidents within 72 hours of
the CA being made aware, and if a Full Incident Report is not yet ready,
the CA operator MUST provide a Preliminary Incident Report, all in
accordance with the IRGs.

Any matter documented in an audit as a qualification, a modified opinion,
or non-conformity is also considered an incident and MUST have a
corresponding Audit Incident Report
<https://www.ccadb.org/cas/incident-report#audit-incident-reports>.

CA operators MUST regularly update Incident Reports in accordance with the
IRGs until the corresponding Bugzilla <https://bugzilla.mozilla.org/> bug
is marked as resolved by a root store representative.

Mozilla expects the timely remediation of the problems that caused or gave
rise to an incident. In response to incidents, Mozilla MAY further require
that the CA operator submit a plan of action with milestones or submit one
or more additional audits to provide sufficient assurance that the incident
has been remediated. Such audits MAY be expected sooner than the CA
operator’s next scheduled audit, and thus MAY be expected to be for a
period less than a year.

This proposed change to MRSP 2.4 has been recorded in GitHub here
<https://github.com/mozilla/pkipolicy/compare/28a519327a21bebafc1cc3721d4376ba85bf3f98%E2%80%A651b145defe75ebe0c37b84e4e25fb90092c8e9d6>
.

Please provide any comments or suggestions.

Thanks,

Ben

-- 
You received this message because you are subscribed to the Google Groups 
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTJBw_Dj8u_fcj6cr-gRKCDvx9rzvUq%2BLVth7-%3DFSKyw%40mail.gmail.com.

Reply via email to