On Mon, Feb 4, 2019 at 1:33 PM Kathleen Wilson via dev-security-policy < [email protected]> wrote:
> All, > > As you know, CCADB sends audit reminder emails regarding root certs in > Mozilla's program on the 3rd Tuesday of each month. > > We are going to update the date checks for determining when the email > gets sent, so that rather than keying off of the Audit Statement Date, > the check will key off of the Audit Period End date. > > Basing the reminders on the prior Audit Period End Date makes sense and is more in line with our policy which states that audit reports "...MUST be provided to Mozilla via the CCADB within three months of the point-in-time date or the end date of the period." > I will appreciate input on what the date ranges should be. > > Here's the current logic with just the change to use Audit Period End Date. > > 1) If > (1 year - 30 days) < Audit Period End Date <= (1 year + 120 days) > Send Courtesy Audit Reminder > > https://wiki.mozilla.org/CA/Email_templates#Courtesy_Audit_Reminder_Email_Template > > The timing for this seems too late if the intent is to remind the CA to get their audit scheduled, and too soon if the intent is to remind the CA that their report is due to Mozilla soon, given that most reports aren't ready until just before the deadline. If the intent is the latter, I'd suggest that the right timing is 1 month before the report is due, i.e. 1 year + 2 months from the prior Audit Period End Date. 2) If > (1 year + 120 days) < Audit Period End Date <= (1 year + 240 days) > Send Overdue Audit Reminder > > https://wiki.mozilla.org/CA/Email_templates#Overdue_Audit_Statement_Email_Template > > I think this email should go out when the report is first overdue, i.e. 1 year + 3 months from the prior Audit Period End Date. 3) If > (1 year + 240 days) < Audit Period End Date > Send Danger of being Removed notice > > https://wiki.mozilla.org/CA/Email_templates#Failure_to_Provide_Audit_Statement_Email_Template > > > For you reference, previous audit reminder email summaries are here: > > https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/8J8LZNlaDgAJ > > Thanks, > Kathleen > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
