All,
Just FYI that I updated the CA Incident Dashboard wiki page to separate
the audit delay bugs into their own section.
https://wiki.mozilla.org/CA/Incident_Dashboard#Audit_Delays
Thanks,
Kathleen
___
dev-security-policy mailing list
It's still very much a work-in-progress, but I updated the first bullet
point in the "Minimum Expectations" section again.
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
""
Both ETSI and WebTrust Audits should:
- Disclose each location (at the state/province level) that was included
Although I’m sure every CA has business continuity plans, I think that extended
blocked access to every data center they have may not be part of that plan.
I’m not sure, but I think if the required shelter’s are in place for long
periods you may start to see problems. Early disclosure sounds
On Friday, March 20, 2020 at 3:55:08 PM UTC-5, Ryan Sleevi wrote:
> On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > My question: What should "location" mean in the above requirement?
> >
>
> The WebTrust Practitioner
On 3/20/20 1:15 PM, Jeremy Rowley wrote:
What about issues other than audits? For example, with certain locations
closing, key ceremonies may become impossible, leading to downed CRLs/OCSP for
intermediates. There's also a potential issue with trusted roles even being
able to access the data
On Fri, Mar 20, 2020 at 4:15 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> What about issues other than audits? For example, with certain locations
> closing, key ceremonies may become impossible, leading to downed CRLs/OCSP
> for intermediates.
On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> My question: What should "location" mean in the above requirement?
>
The WebTrust Practitioner Guidance offers a reasonable definition:
What about issues other than audits? For example, with certain locations
closing, key ceremonies may become impossible, leading to downed CRLs/OCSP for
intermediates. There's also a potential issue with trusted roles even being
able to access the data center if something goes down and Sub CAs
All,
I will greatly appreciate your ideas about the following.
In the Minimum Expectations section in
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
I added:
""
* Both ETSI and WebTrust Audits must:
** Disclose each location that was included in the scope of the audit,
as well as
On 3/18/20 5:16 PM, Ryan Sleevi wrote:
Suggestions:
1) Rename "Audit Delay" to [audit-delay] and rename "Audit Delay COVID-19"
to [audit-delay] [covid-19] or [audit-delay-covid-19], depending
Rationale: In general, our filters work on word searches, so the brackets
brackets help distinguish the
Suggestions:
1) Rename "Audit Delay" to [audit-delay] and rename "Audit Delay COVID-19"
to [audit-delay] [covid-19] or [audit-delay-covid-19], depending
Rationale: In general, our filters work on word searches, so the brackets
brackets help distinguish the two. To search for "Audit Delay" without
All,
I will greatly appreciate your input on the following new "Audit Delay"
section.
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
Thanks,
Kathleen
PS: I moved the content of
https://wiki.mozilla.org/CA/Audit_Letter_Validation
to
https://wiki.mozilla.org/CA/Audit_Statements
Situation from ACAB'c ETSI auditors point of view:
On one hand it is quite simple: if the auditor cannot perform the audit as
foreseen in the certification program no certificate can be issued. In case a
surveillance audit cannot be performed, the certification body must withdraw
the affected
On Saturday, March 7, 2020 at 8:24:57 AM UTC-6, Ryan Sleevi wrote:
> On Fri, Mar 6, 2020 at 9:03 PM jwardcpa--- via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Great follow on questions Ryan. As far as the detailed report, whether
> > the end product is in the
On Fri, Mar 6, 2020 at 9:03 PM jwardcpa--- via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Great follow on questions Ryan. As far as the detailed report, whether
> the end product is in the current form, or in the detailed version, the
> lead auditor is taking full
On Friday, March 6, 2020 at 12:13:49 PM UTC-6, Ryan Sleevi wrote:
> Thanks Jeff,
>
> This is incredibly helpful to understand the approach (and limitations)
> that are relevant in the context of a WebTrust report. I'm hoping our ETSI
> colleagues might provide a similar level of detail, as I
Thanks Jeff,
This is incredibly helpful to understand the approach (and limitations)
that are relevant in the context of a WebTrust report. I'm hoping our ETSI
colleagues might provide a similar level of detail, as I suspect this is
hardly "just" a WebTrust problem at this point.
On Fri, Mar 6,
Certainly, situations such as the outbreak of COVID-19 (Coronavirus) provide
significant business challenges, not to mention all of the heartache felt by
those suffering personally. From a business standpoint, the outbreak of the
Coronavirus is a reminder how fragile companies are to events
Thanks Arvid! I think these are good starting points for discussion!
On Wed, Mar 4, 2020 at 8:48 AM Arvid Vermote
wrote:
> When I initially raised the topic I had two things in mind:
>
> -What if a facility can’t be audited?
>
> -If main key management facilities are down can
When I initially raised the topic I had two things in mind:
-What if a facility can’t be audited?
-If main key management facilities are down can WebPKI CA meet SSLBR
4.9.1.2?
As for the inability to audit, a few things come to mind based on the previous
shared thoughts:
-
Hi Arvid,
I wanted to follow-up, and see if you had suggestions or ideas here for
appropriate next steps. Understandably, as more countries are affected,
this will no doubt continue to be an issue. I think you're spot on for
asking early, as you did, and I'm hoping GlobalSign (and others!) might
On Thu, Feb 20, 2020 at 4:58 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> We will continue to follow our standard process to adjudicate the issue
> regarding failures to provide CA audit statements [1] and we will work
> with the impacted CAs
All,
First, I would like to add a personal note that I am truly sorry about
the many people, families, and colleagues that are being impacted by the
Coronavirus. This is a heartbreaking situation.
At Mozilla, our responsibility lies in ensuring people's security and
privacy as they navigate
What would/should be the expected response if a natural disaster/act of God
happened and the security of the key material could not be assured by an
independent third party?
For example, an earthquake, typhoon, or military coup disrupting travel to
location(s) with the key material?
Similarly,
COVID-19 is going on and there currently is a quarantine of certain areas in
China and also alert levels are further raising in other (mainly East-Asian)
countries.
How will the root programs approach CA facilities with key material that are
in a lockdown or in a territory that is not
25 matches
Mail list logo
