On Wed, Oct 10, 2018 at 4:58 PM Grabowski Piotr <[email protected]> wrote:
> Hello Ryan, > > > In the design of this template, one of the concerns was about > understanding *how* a problem happened, not just how a CA responded. This > is why it includes text such as "This may include events before the > incident was reported, such as when a particular requirement became > applicable, or a document changed, or a bug was introduced, or an audit was > done." > > 1) When were the policy templates introduced > > We are using Verizon UniCERT PKI software. Policy or templates are > integral part of the software and they exists there all along. > I'm uncertain how to interpret your answer. Are you saying that, until this incident, KIR S.A. operated the UniCERT PKI software without any modifications whatsoever to the default policy templates? Did KIR S.A. review these policy templates to ensure compliance with the Baseline Requirements are met? If you created policy templates yourselves, when were they created, reviewed, updated, etc. >From your reply with Wayne, it's clear that the software maintains an audit log for these operations. Based on your reply, the understanding is that there are only two versions of the policy templates - the default configuration as shipped, and now the updated one to mitigate this issue. Is that a correct understanding? > 2) When were the policy templates reviewed > > All policies/templates were reviewed right after the incident occurred. > We have also added procedural step for periodic certificate policy > templates validation. > Again, this misunderstands the question. These questions are about understanding the events *before* the incident, not the events *after*. A root cause analysis must necessarily trace how the incident happened, which means understanding what events happened before. In light of this explanation, please review this question again. When were the policy templates operating prior to this incident reviewed? When were they last modified? When were they introduced? Working through the steps of how the incident happened is an essential part in demonstrating that the mitigations are appropriate. > 3) What are the templates review practices. > > We have added dual CAO control for modifying policy template which > requires the presence of 2 CAO's (Certification Authority Operators) > All policies/templates are reviewed against the purpose of given policy > and CP/CPS. > Similarly, this discusses what has been done, but what was done prior to this incident? What were the review practices beforehand? > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
