On Tue, September 8, 2015 9:13 am, Jürgen Brauckmann wrote: > Ryan, > > sorry, I don't understand you. You cannot pass an Webtrust for CAs audit > when you do the things you mentioned. There is no difference between > email/codesigning certs and TLS server certs.
Juergen, The unfortunate reality is that you can. For example, regarding CRLs and OCSP, using "WebTrust for CAs 2.0" ( http://www.webtrust.org/homepage-documents/item54279.pdf ), the requirement is established in Section 6.8. However, note that the criteria is that complete and accurate certificate status information is made available to relevant entities _in accordance with the CA's disclosed business practices_. This does not *require* support for these methods, if a CA's CP/CPS does not disclose them. Further, even if the CA does disclose they make revocation information available, they may not make it available via CRLs or OCSP. For example, I've seen availability be done via LDAP (not delivery of a CRL via LDAP, but where the presence of an LDAP entity signifies revocation) or via a Web form (enter in a serial number, get a human-readable revocation status). Both of these examples - or no support at all - meet the criteria of WebTrust for CAs. Other examples - such as uptime - are not embodied in "WebTrust for CAs". Further, on the topic of misissuance, what an auditor is examining whether or not controls exist - and they're followed. If a control exists for identity validation, and it's "insufficient" (as deemed by the Mozilla community), that still meets the criteria set forth in "WebTrust for CAs". Further, if following the policies and practices that the CA has documented leads to a 'misissued' certificate - but those policies were fully adhered to - then that's not a qualified finding from the POV of an auditor. I hate pointing out that the emperor has no clothes, but you can see why so much effort has been focused on improving the SSL/TLS ecosystem, often with quantifiable measures (for example, the use of Certificate Transparency to examine BR compliance), because the audit is not designed to be perfect. And, of course, I'm ignoring the fact that auditors are not obligated or needed to examine a CA's CP/CPS when making these calls, so it's entirely possible for a CA to document one thing, and then provide a different document to an auditor demonstrating a different set of controls. This would fully pass "WebTrust for CAs" - and while it might make the auditor unhappy (especially if they notice), the system does not have intrinsic defenses against this. Cheers, Ryan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
