Lots of comments on audits. In brief, I suggest they be treated as "just another thing that some CAs might do" and not be given a class of their own.
I personally think professional audits are a sick joke. If someone says to me "XYZ CA" is audited, the only thing I'm interested in is how much they paid the auditor, which is good money turned to bad, now not available to make things better.
I'm often alone in this radical skepticism, but, anyone who had shares in Enron or any mutual funds might feel sympathy with the pov. Maybe also, all the shareholders of all the S&Ls, in the eighties, might understand.
> 12. The policy should take independent audits of CAs
"or, any other independent reviews" ???
> into account as a > factor in the decision process. > > Rationale: Since there is already an existing system by which CAs can > undergo independent audits, it would be foolish not to take advantage of > that system if and when it makes sense to do so. That's especially true > if the audit process results in public information beyond a simple > "pass/fail" grade.
Sure. Although, see comments on 13. below, it may be possible to fold these two points together.
> 13. The policy may treat passing an independent audit as a sufficient
I would change this to make the audit process an example of the class, rather than the class talked about in this section. Something like:
The policy may treat & accept the "best practices" regimes
promoted by stakeholder groups as a sufficient basis, as
either a routine or exceptional condition, but will not be
bound by these regimes. Compliance with any or all of the components of a best
practices approach will be treated as inputs into the
process.The emphasis then switching to the regimes as promoted by the various CA stakeholder groups, rather than any one particular component such as audits.
Then, add:
As an example, independent audits as promoted by the
stakeholder groups are one such component that will
be considered as an appropriate input....
> Second, it is not clear as a general matter that independent auditing is > inevitably superior to internal evaluation. Auditing in general is in > part a response to the fact that the entities being audited (e.g., CAs, > public companies, etc.) do not expose to public view all details of > their internal operations. The auditor therefore acts as a "stand in" > for the people who have an actual interest in the soundness of the > practices of the entity being audit. (In the case of public companies > these are investors, in the case of CAs these are certificate holders, > certificate users, and others.)
Much of the additional governance that takes place in these markets is often done on the basis of "if you don't do this you might be sued." As companies are working with other people's money, it is easy for them to be over-cautious, which results in a spiral of prophets of doom and worry merchants, all trying to outdo each other, and to protect themselves by doing the same as everyone else (so they won't get sued).
It's very easy to lose sight of the real value in such cases, where managers are acting more out of fear of doing the wrong thing, than thinking about how to make things better. Which is perhaps why audits don't really impress people any more, although most people still can't accept them not being done; and in financial markets, there always seems to be some sort of dramatic scandal going on that auditors should have caught.
...
> 14. If a CA has not undergone an independent audit, then the policy > should require that the policy implementors (i.e., those deciding > whether or not to include the CA's cert) perform their own assessment of > the CA's policies and practices.
Again, I don't think that concentrating on audits is fruitful. It's just one way in which some people do this stuff. Next year, it might be that every CA has to put all their keys into secure nCipher boxes, because one did so ... and the year after might become the year of "2048 bit keys or bust." None of this is of benefit, if done only for marketing and herding reasons, so it should all be optional; in essence, from a "service to users" point of view, we should be encouraging the CAs not to standardise, but to differentiate their offerings.
> Rationale: If a CA is to be included that has not undergone independent > audit, then the Mozilla project owes it to Mozilla users to attempt to > perform some level of audit itself. Otherwise we can't properly assess > whether including the CA's certificate(s) would lead to a security risk > for users.
There are lots of designs for security stuff that won't benefit from an audit. If the process of creating and adding a new CA is open enough, then there should be plenty of scrutiny by people as to the level of protection needed; likewise, the team wants to have the flexibility to move into new territory.
> The project also owes it to other CAs who have gone to the trouble and > expense of undergoing audits themselves, and who might perceive it as > unfair that a CA could be included without being audited.
I think this can be a two-edged sword. If CAs have gone to the trouble, then they will of course yell "unfair!" for anyone who hasn't. The normal business strategy is to complain about those that aren't as "diligent" as oneself, and if one can create a costly, grandiose standard, that is a good thing for those already there.
But, those that hold up the audit (or any other tool that might be considered) as being essential tend to do so within their own patch, and don't realise that there are many other opportunities out there. It may be that there are better methods, and in time, everyone switches over to them. That can only happen if there is some flexibility to let new methods come in.
(CAs are a case in point - I believe that they could expand their market dramatically, but only by being much more flexible in the way they deal with certs, but that's a distraction from the current topic.)
> 15. The internal assessment of CAs that have not undergone independent > audit should be based only on information that is (or will be) available > to the general public, and should be based on specific, objective, and > verifiable criteria as outlined in the policy itself or in public > documents referenced by the policy. This also applies to any additional > assessment of CAs that already have undergone independent audit.
Just to flip that around ....
Does that mean that if an audit is secret, then it will pass muster? That won't work - the public audit document or report should be the input, as anything that happens behind closed doors should be by default discounted (to zero in my book...).
Otherwise, you can't tell the difference between an audit by firm A that does good work, and an audit by firm B that charges the same amount of money, but does no work. And, if an audit is accepted as a secret, then it simply encourages the company to skimp on the audit in the future, and keep the skimping as a secret. This is a routine practice, so routine that auditors know how to tune their offering to do the right sort of skimping.
(I know this "big company" that sells software .. they employ a "big auditor" to do the security audit. One year, the team went in and wrote a report saying the whole thing was totally insecure. The partners then had to burn the midnight oil rewriting the report to say everything was hunky dory, so they could get their fat partners' bonus. As I say, totally routine.)
iang
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
