Confirmed users, Administrators
5,526
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
Moving audited locations into separate section (separate from audit delay)
(Added clarification.) |
(Moving audited locations into separate section (separate from audit delay)) |
||
| Line 1: | Line 1: | ||
CA Audits are one of the primary mechanisms relied upon by Mozilla to ensure that a CA is operating securely and in compliance with our policies. CA audits and audit statements must comply with the following requirements. | CA Audits are one of the primary mechanisms relied upon by Mozilla to ensure that a CA is operating securely and in compliance with our policies. CA audits and audit statements must comply with the following requirements. | ||
* [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy | * Section 3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] | ||
* [https://www.ccadb.org/policy#51-audit-statement-content Section 5.1 of the Common CCADB Policy]. | * [https://www.ccadb.org/policy#51-audit-statement-content Section 5.1 of the Common CCADB Policy]. | ||
* Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled. | * Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled. | ||
Note: An [[CA/Audit_Statements#Audit_Delay|Audit Delay]] is when one or more of the following requirements in section 3.1.3 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] cannot be met: | |||
* "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually." | |||
* "... MUST be provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period." | |||
= Audit Letter Content = | |||
The requirements for audit letter content are specified in | |||
* Section 3.1 of [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Mozilla's Root Store Policy] | |||
* [https://www.ccadb.org/policy#51-audit-statement-content Section 5.1 of the Common CCADB Policy]. | |||
* Section 8 of the [https://cabforum.org/baseline-requirements-documents/ CA/Browser Forum Baseline Requirements], if the root certificate has the Websites (TLS/SSL) trust bit enabled. | |||
Including the following format requirements. | |||
* Format Specifications for SHA-256 Fingerprints: | |||
** MUST: No colons, no spaces, and no line feeds | |||
** MUST: Uppercase letters | |||
** MUST: be encoded in the document (PDF) as text searchable, not an image | |||
* Format Specifications for Dates: The following formats are accepted by ALV | |||
** Month DD, YYYY example: May 7, 2016 | |||
** DD Month YYYY example: 7 May 2016 | |||
** YYYY-MM-DD example: 2016-05-07 | |||
** Month names in English | |||
** No extra text within the date, such as “7th” or “the” | |||
== Audited Locations == | |||
Both ETSI and WebTrust Audits should: | |||
* Disclose each location (at the state/province level) that was included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location. | |||
** If the CA has more than one location in the same state/province, then use terminology to clarify the number of facilities in that state/province and whether or not all of them were audited. For example: "Facility 1 in Province", "Facility 2 in Province, Facility 3 in Province" '''or''' "Primary Facility in Province", "Secondary Facility in Province", "Tertiary Facility in Province". | |||
*** The public audit statement does not need to identify the type of Facility. | |||
*** "Facility" includes: data center locations, registration authority locations, where IT and business process controls of CA operations are performed, facility hosting an active HSM with CA private keys, facility or bank deposit box storing a deactivated and encrypted copy of a private key. | |||
= Audit Letter Validation = | = Audit Letter Validation = | ||