On Thu, March 19, 2015 4:49 pm, Peter Bowen wrote: > For example, based on what you reported and what I saw, the audit > report should at a minimum say: > E-Guven complies with the Baseline Requirements with the following > qualifications: > - Some certificates issued do not conform to 9.2.1 > - Some certificates issued do not conform to 9.2.4(d) > - Some certificates issued do not conform to 9.2.5 > - Some certificates issued do not conform to Appendix A > > Do you think these qualifications are acceptable? > > Thanks, > Peter
To be fair (and exceedingly cynical but depressingly realistic), the auditor - May not find these certificates during the sampling audit - May not use the certificates found as evidence of further misissuance and thus not examine further - May not even check the technical accuracy of these certificates - For the certificates they find, require that they simply be revoked All of which would allow the auditor to indicate a statement that the CA fully conformed with all applicable policies during the period of time the audit covers. The most egregious issue is that last bit - a CA can (in practice, though not desired) quietly sweep all such misissuance under the rug by allowing time to remediate the auditor's qualified findings, such that the auditor issues a glowing report consistent with the manager's assertion that the CA was fully on the up and up. The mitigation for such a depressing state of affairs is to require transparency reporting during disclosure. That is, to require that auditors list all the issues found (as you did), how many such issues were found, and what steps the CA took to remediate the issues, all as part of the public, annual audit report. It's been talked about before, certainly, but how to best accomplish such a wording change is unclear, and to get it incorporated into (WebTrust, ETSI) is another matter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
