CA/Audit Statements: Difference between revisions

Jump to navigation Jump to search

CA/Audit Statements (view source)

Revision as of 21:40, 25 January 2021

1,452 bytes removed ,  25 January 2021
Moved more items into the appropriate sections.
(Moving audited locations into separate section (separate from audit delay))
(Moved more items into the appropriate sections.)
Line 1: Line 1:
= Audit Letter Content =
CA Audits are one of the primary mechanisms relied upon by Mozilla to ensure that a CA is operating securely and in compliance with our policies. CA audits and audit statements must comply with the following requirements.
CA Audits are one of the primary mechanisms relied upon by Mozilla to ensure that a CA is operating securely and in compliance with our policies. CA audits and audit statements must comply with the following requirements.
* Section 3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]
* Section 3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]
Line 4: Line 5:
* Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled.
* Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled.


Note: An [[CA/Audit_Statements#Audit_Delay|Audit Delay]] is when one or more of the following requirements in section 3.1.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] cannot be met:
Format Requirements:
* "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually."
* SHA-256 Fingerprints
* "... MUST be provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period."
 
= Audit Letter Content =
The requirements for audit letter content are specified in
* Section 3.1 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy]
* [https://www.ccadb.org/policy#51-audit-statement-content Section 5.1 of the Common CCADB Policy].
* Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled.
 
Including the following format requirements.
* Format Specifications for SHA-256 Fingerprints:
** MUST: No colons, no spaces, and no line feeds
** MUST: No colons, no spaces, and no line feeds
** MUST: Uppercase letters
** MUST: Uppercase letters
** MUST: be encoded in the document (PDF) as text searchable, not an image
** MUST: be encoded in the document (PDF) as text searchable, not an image
* Format Specifications for Dates: The following formats are accepted by ALV
* Dates
** Month DD, YYYY example: May 7, 2016
** Month DD, YYYY example: May 7, 2016
** DD Month YYYY example: 7 May 2016
** DD Month YYYY example: 7 May 2016
Line 126: Line 117:


= Audit Delay =
= Audit Delay =
An Audit Delay is when one or more of the following requirements in section 3.1.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] cannot be met:
* "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually."
* "... MUST be provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period."
If a CA fails to deliver audit statements to Mozilla when they are due, Mozilla may take action to reduce the risks this presents to our users. The following guidance is intended for CAs in such a situation.
If a CA fails to deliver audit statements to Mozilla when they are due, Mozilla may take action to reduce the risks this presents to our users. The following guidance is intended for CAs in such a situation.
<br /><br />
<br /><br />
Line 137: Line 132:
Situations will be considered and treated on a case by case basis.  
Situations will be considered and treated on a case by case basis.  
<br />
<br />
Both ETSI and WebTrust Audits should:
The audit statement needs to clearly indicate which [[CA/Audit_Statements#Audited_Locations|audited locations]] were and were not audited, and whether the inspection at each location was physically carried out in person, and which audit criteria were checked (or not checked) at each location.
* Disclose each location (at the state/province level) that was included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location.
** If the CA has more than one location in the same state/province, then use terminology to clarify the number of facilities in that state/province and whether or not all of them were audited. For example: "Facility 1 in Province", "Facility 2 in Province, Facility 3 in Province" '''or''' "Primary Facility in Province", "Secondary Facility in Province", "Tertiary Facility in Province".
*** The public audit statement does not need to identify the type of Facility.
*** "Facility" includes: data center locations, registration authority locations, where IT and business process controls of CA operations are performed, facility hosting an active HSM with CA private keys, facility or bank deposit box storing a deactivated and encrypted copy of a private key.


=== ETSI Audits ===
=== ETSI Audits ===
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1233305"

Navigation menu