All,
As the CFCA discussion showed, there are a few things still to figure
out regarding the audits of CA conformance to the BRs.
Here are my proposals.
1) BR Audits should always include the whole-population audit of
intermediate certificates.
The CA's roots and all of their intermediate certificates should
*always* be audited for conformance to the stated standards. In the
audit, sampling can be used only for end-entity certificates.
I think this would need to happen in the CA/Browser Forum, probably as
an update to the BRs.
2) BR point-in-time audits may not be sufficient.
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy
"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA
Certificate Policy. This includes having a Baseline Requirements audit
performed if the websites trust bit is to be enabled. *Note that the
CA's first Baseline Requirements audit may be a Point in Time audit.* "
We could change that to say that the first BR audit may be performed
over a minimum of 3 months, and include testing of issuance and
infrastructure. i.e. If it is the CA's first BR audit (because they were
not in the program and did not know about the BRs) then the audit should
cover 3 months, and the certificates/CRLs/OCSP-responses issued during
that time must be evaluated against the BRs.
Would this help? i.e. Is it needed in addition to proposal #1?
3) If the CA's auditor missed something regarding the BRs, then the CA
has to fix the problems and be re-audited by a different auditor.
Would a *complete* audit need to be performed?
Or just an audit to show the problems have been resolved?
Should we require that the re-audit to be for a minimum of 3 months?
This can be added to our wiki pages now, and we may want to consider
adding this to the actual policy.
4) I think we need to formally augment the audit process with software
tools; such as analysis of data of existing sites chaining up to roots
being considered for inclusion. And also run periodically for included
roots.
I will appreciate your constructive feedback on these items.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
