Hi Kathleen,
With respect to providing a list - is there any requirement to ensure
Mozilla accepts that as a reasonable remediation?
For example, would "We plan to not do the same in the future" be an
acceptable remediation plan? As currently worded, it would seem to meet the
letter of this requirement.
This would be useful to ensure before [2]
On Tue, Oct 3, 2017 at 10:38 AM, Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Here's a draft of the Bugzilla Bug that I plan to file to list the action
> items for PROCERT to complete before they may re-apply for inclusion in
> Mozilla's Root Store. I will appreciate feedback on this.
>
> == DRAFT ==
> Subject: PROCERT: Action Items
>
> As per Bug #1403549 the PSCProcert certificate will be removed from
> Mozilla’s Root Store due to a long list of problems and they way that
> PROCERT responded to those problems (and to previous CA Communications).
> For details about the problems, see Bug #1391058 and
> https://wiki.mozilla.org/CA:PROCERT_Issues
>
> The purpose of this bug is to record the action items that PROCERT must
> complete before their certificate may be included as a trust anchor in
> Mozilla’s Root Store again.
>
> PROCERT may apply for inclusion of a new certificate[1] following
> Mozilla's normal root inclusion/change process[2], after they have
> completed all of the following action items.
>
> 1. Provide a list of changes that the CA plans to implement to ensure that
> there are no future violations of Mozilla's CA Certificate Policy and the
> CA/Browser Forum's Baseline Requirements.
>
> 2. Implement the changes, and update their CP/CPS to fully document their
> improved processes.
>
> 3. Provide a reasonably detailed[4] public-facing attestation from a
> licensed auditor[3] acceptable to Mozilla that the changes have been made.
> This audit may be part of an annual audit.
>
> 4. Provide auditor[3] attestation that a full performance audit has been
> performed confirming compliance with the CA/Browser Forum's Baseline
> Requirements. This audit may be part of an annual audit.
>
>
> Notes:
> [1] The new certificate (trust anchor) may be cross-signed by the removed
> certificate. However, the removed certificate may *not* be cross-signed by
> the new certificate, because that would bring the concerns about the
> removed certificate into the scope of the new trust anchor.
> [2] Mozilla's root inclusion/change process includes checking that
> certificates in the CA hierarchy comply with the CA/Browser Forum's
> Baseline Requirements.
> [3] The auditor must be an external company, and approved by Mozilla.
> [4] “detailed” audit report means that management attests to their system
> design and the controls they have in place to ensure compliance, and the
> auditor evaluates and attests to those controls. This assertion by
> management - and the auditor's independent assessment of the factual
> veracity of that assertion - will help provide a greater level of assurance
> that PROCERT has successfully understood and integrated the BRs.
> ==
>
> Thanks,
> Kathleen
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy