On 8/21/14, 8:59 AM, Kathleen Wilson wrote:
On 8/20/14, 5:30 PM, [email protected] wrote:
Sorry for this late response, but Peter Bowen's post below in subpart
2) is exactly correct - FF needs to accept PITRAs from new CA roots,
or else you will never have any new CA roots.
I updated the wiki page to make it more clear that I am concerned about
the case where the CA did not know about the BRs, so there are an
unknown number of certs in that CA hierarchy that do not conform to the
BRs.
https://wiki.mozilla.org/CA:BaselineRequirements#Point_in_Time_Readiness_Assessment_.28PITRA.29
Perhaps we should list the types of problems that are not allowed in
previously issued certs. If previously issued certs had those problems,
then a new root cert would have to be created and considered for
inclusion (instead of the old root cert).
Do you have recommendations about which BRs should be in this list?
i.e. the BRs that if not previously followed, the CA would have to
create a *new* root certificate to be considered for inclusion.
Another post suggested when flaws are found in certs that maybe the CA
should be forced to change auditors; someone responded that would
likely be very expensive (true). A better plan may be to require the
current auditor to come up with an immediate plan for correction and
compliance, and then present a mid-term partial audit following that
plan... Probably more meaningful and effective.
I updated
https://wiki.mozilla.org/CA:BaselineRequirements#Audit_Mistakes
to note that two proposals are under discussion
Proposal #1: When egregious mistakes were overlooked by the auditor,
then require a re-audit by a different auditor.
Proposal #2: For certain types of mistakes that were overlooked by the
auditor, require the current auditor to come up with an immediate plan
for correction and compliance, and then present a mid-term partial audit
following that plan.
The benefit of Proposal #2 is that the auditor is already familiar with
that CA's operations, and the auditor will learn what to watch out for
in future audits.
Would it be OK to allow both Proposal #1 and Proposal #2? (i.e. the CA
gets to choose which of these paths to use to resolve the problems)
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
