All, This post is intended to initiate public discussion on improvements to the Mozilla Root Store Policy (MRSP) in line with GitHub Issues #270 <https://github.com/mozilla/pkipolicy/issues/270> and #271 <https://github.com/mozilla/pkipolicy/issues/271> (Incident Reporting). FWIW, the CCADB is working on a somewhat parallel effort with PR #186 <https://github.com/mozilla/www.ccadb.org/pull/186>.
MRSP Section 2.4 <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#24-incidents> has slight differences from the CCADB's Incident Reporting Guidelines <https://www.ccadb.org/cas/incident-report> (IRGs). These discrepancies sometimes cause confusion. Therefore, it is proposed that much of the details in MRSP § 2.4 be stricken and replaced with an explicit incorporation by reference to the CCADB's IRGs. Similar changes will be made to the Mozilla Incident Reporting wiki page <https://wiki.mozilla.org/CA/Responding_To_An_Incident> to ensure consistency. Here is the proposed language for section 2.4 of the MRSP: When a CA operator fails to comply with any requirement of this policy - whether it be a misissuance, a procedural or operational issue, or any other variety of non-compliance - the event is classified as an incident <https://wiki.mozilla.org/CA/Responding_To_An_Incident>. This policy incorporates by reference the CCADB's Incident Reporting Guidelines <https://www.ccadb.org/cas/incident-report> (IRGs) as if fully set forth herein. As such, CA operators MUST report all incidents within 72 hours of the CA being made aware, and if a Full Incident Report is not yet ready, the CA operator MUST provide a Preliminary Incident Report, all in accordance with the IRGs. Any matter documented in an audit as a qualification, a modified opinion, or non-conformity is also considered an incident and MUST have a corresponding Audit Incident Report <https://www.ccadb.org/cas/incident-report#audit-incident-reports>. CA operators MUST regularly update Incident Reports in accordance with the IRGs until the corresponding Bugzilla <https://bugzilla.mozilla.org/> bug is marked as resolved by a root store representative. Mozilla expects the timely remediation of the problems that caused or gave rise to an incident. In response to incidents, Mozilla MAY further require that the CA operator submit a plan of action with milestones or submit one or more additional audits to provide sufficient assurance that the incident has been remediated. Such audits MAY be expected sooner than the CA operator’s next scheduled audit, and thus MAY be expected to be for a period less than a year. This proposed change to MRSP 2.4 has been recorded in GitHub here <https://github.com/mozilla/pkipolicy/compare/28a519327a21bebafc1cc3721d4376ba85bf3f98%E2%80%A651b145defe75ebe0c37b84e4e25fb90092c8e9d6> . Please provide any comments or suggestions. Thanks, Ben -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYTJBw_Dj8u_fcj6cr-gRKCDvx9rzvUq%2BLVth7-%3DFSKyw%40mail.gmail.com.