Thank you David, Wendy, and Gerv for your input.
Here are my current thoughts on this.
> Can a CA hire someone to manage the inclusion process for them?
Yes, but a known individual within the CA must also get a Bugzilla
account and comment in the bug to say that they will be the primary
point of contact for the CA.
> What is the role of the CA’s primary point of contact (POC) with
regard to Mozilla’s CA program?
The CA’s POC must be someone within the CA’s organization who has
authority to speak on behalf of the CA, to make commitments for the CA,
and to direct whatever changes the review process or Mozilla’s CA
Communications require. That person should also be in a position that
can be held accountable by the CA. A CA may have more than one POC, and
may use a contractor as one of the POCs.
The POC will:
- Provide annual audit statements
- Respond to CA Communications
- Make sure the CA’s rows in the included spreadsheet remain current
(http://www.mozilla.org/projects/security/certs/included/)
- Inform Mozilla when there is a change in the organization, ownership,
CA policies, or in the POC that Mozilla should be aware of, as per items
4 through 7 of
http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html
> Can email aliases be used for the CA’s POC?
Both an email alias and a direct email address must be provided.
At least one of the POCs must be an employee of the CA.
If the CA uses a contractor as an additional POC, then someone at the CA
must be CC’d on the root inclusion Bugzilla bug, CA Communications, and
the CA’s responses to CA Communications.
> What sort of authoritative confirmation is needed to ensure that the
person truly should be the CA’s POC?
As per Mozilla policy the CA’s audit statement is either published on a
credible auditor’s website, or a Mozilla representative performs an
independent step to communicate directly with the auditor to confirm the
authenticity of the audit statement that was provided.
https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
This provides an independent source of verification of the CA.
To ensure that the POC has the authority to perform the tasks listed
above, a representative of Mozilla will do the following.
1) Use the CA’s website, to confirm that the domain in the email address
of at least one of the POCs is owned by the CA (e.g. @CAname.com).
2) Use the CA’s website to contact a person at the CA to confirm that at
least one of the POCs that have been provided does indeed have the
authority to perform the responsibilities listed above on behalf of the CA.
3) If a contractor is also used as a POC, then contact the POC that was
verified in step 2 to confirm that the CA has indeed enlisted the help
of the contractor.
David, I realize that this is not in par with what you suggested, but I
also need to take into account what I can realistically do within my
time (and work location) constraints.
While this may not be perfect, is this sufficient?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
