MozillaWiki

CA/Audit Statements: Difference between revisions

Page Discussion

CA/Audit Statements (view source)

Revision as of 00:04, 24 March 2020

65 bytes removed ,  24 March 2020
Continued clarification about specifying locations that were audited
(Added clarification about specifying locations that were audited)
(Continued clarification about specifying locations that were audited)
Line 112: Line 112:
Situations will be considered and treated on a case by case basis.  
Situations will be considered and treated on a case by case basis.  
* Both ETSI and WebTrust Audits should:
* Both ETSI and WebTrust Audits should:
** Disclose each ''CA Processing Location'' that was included in the scope of the audit, as well as whether the inspection was physically carried out in person.
** Disclose each location (at the state/province level) that was included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location.
*** ''CA Processing Location'' as defined in the [https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/practitioner-qualification-and-guidance WebTrust Practitioner Guidance]: "city, state/province (if applicable), and country of all physical locations used in CA operations. This includes data center locations (primary and alternate sites), registration authority locations (for registration authority operations performed by the CA), and all other locations where general IT and business process controls that are relevant to CA operations are performed.
*** If the CA has more than one location in the same state/province, then use terminology to clarify the number of facilities in that state/province and whether or not all of them were audited. For example: "Facility 1 in Province", "Facility 2 in Province, Facility 3 in Province" '''or''' "Primary Facility in Province", "Secondary Facility in Province", "Tertiary Facility in Province".  
*** If there are more than one CA Processing Locations in the same city, then use terminology to clarify the number of facilities in that city and whether or not all of them were audited. For example: "Facility 1 in City", "Facility 2 in City, Facility 3 in City" '''or''' "Primary Facility in City", "Secondary Facility in City", "Tertiary Facility in City".
*** TO DO: Clarify the types of CA locations that should be disclosed in the audit statement. e.g. data center locations, registration authority locations, where IT and business process controls of CA operations are performed, facility hosting an active HSM with CA private keys, facility or bank deposit box storing a deactivated and encrypted copy of a private key, other?
* ETSI Audits:
* ETSI Audits:
** [https://groups.google.com/d/msg/mozilla.dev.security.policy/4Q6WAgLAvDo/zMJu6HWkAQAJ Guidance provided in mozilla.dev.security.policy] included the following:  
** [https://groups.google.com/d/msg/mozilla.dev.security.policy/4Q6WAgLAvDo/zMJu6HWkAQAJ Guidance provided in mozilla.dev.security.policy] included the following:  
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1225365"