Confirmed users, Administrators
5,526
edits
CA/Audit Statements: Difference between revisions
Jump to navigation
Jump to search
Added Audit Lifecycle section
m (updated link) |
(Added Audit Lifecycle section) |
||
| Line 23: | Line 23: | ||
*** The public audit statement does not need to identify the type of Facility. | *** The public audit statement does not need to identify the type of Facility. | ||
*** "Facility" includes: data center locations, registration authority locations, where IT and business process controls of CA operations are performed, facility hosting an active HSM with CA private keys, facility or bank deposit box storing a deactivated and encrypted copy of a private key. | *** "Facility" includes: data center locations, registration authority locations, where IT and business process controls of CA operations are performed, facility hosting an active HSM with CA private keys, facility or bank deposit box storing a deactivated and encrypted copy of a private key. | ||
= Audit Lifecycle = | |||
'''DRAFT: This section is currently being drafted, and will be discussed in the mozilla.dev.security.policy forum.''' | |||
<br /> | |||
Reference: https://cabforum.org/wp-content/uploads/Audit-Lifecycle.pdf | |||
<br /> <br /> | |||
Mozilla's Root Store Policy states the following requirements which apply to root certificates and all intermediate certificates that have at least one valid, unrevoked chain up to such an included root certificate and which are technically capable of issuing working server or email certificates as described in section 1.1 of Mozilla's [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ Root Store Policy] . | |||
* Before being included and periodically thereafter, CAs MUST obtain certain audits for their root certificates and all of their intermediate certificates that are technically capable of issuing working server or email certificates. | |||
* Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually from the time of CA key pair generation until the CA certificate is no longer trusted by Mozilla's root store. | |||
* Successive audits MUST be contiguous (no gaps). | |||
* Point-in-time audit statements may be used to confirm that all of the problems that an auditor previously identified in a qualified audit statement have been corrected. However, a point-in-time audit does not replace the period-of-time audit. | |||
* Audit reports which are being supplied to maintain a certificate within the Mozilla root program MUST be provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period. | |||
* If the CA has a currently valid audit report at the time of creation of the certificate, then the new certificate MUST appear on the CA's next periodic audit reports. | |||
= Audit Letter Validation = | = Audit Letter Validation = | ||