On 1/2/2016 9:59 μμ, Peter Kurrasch wrote:
Thank you, Dimitris, for your helpful response! I appreciate the
clarifications you provided. I do like that there are fairly tight
controls in place as I think it will serve everyone (both HARICA CA
subscribers and the wider Internet population) well.
I did review version 3.3 (which is much better than the previous
version!) and the clarifications you mention below all sound
reasonable to me. I have no further comments on them if you will be
updating the CPS accordingly. For some of the more technical points, I
will provide some commentary but in a separate email. I'll try to get
my comments to you soon since as I'm sure you want to move forward in
this process without too much delay.
Thanks again.
Thank you Peter,
We do plan to update these language issues and relevant parts of our
CP/CPS during our scheduled annual audit in May - June 2016.
Thank you again for the review.
Sincerely,
Dimitris Zacharopoulos.
*From: *Dimitris Zacharopoulos
*Sent: *Tuesday, January 26, 2016 5:58 AM
Hello Peter and thank you for reviewing this request. I hope you have
reviewed the DRAFT CP/CPS available
<https://bugzilla.mozilla.org/attachment.cgi?id=8698099>from the bug
1201423 <https://bugzilla.mozilla.org/show_bug.cgi?id=1201423> since
we have done some changes after the original bug report.
On 25/1/2016 6:16 μμ, Peter Kurrasch wrote:
I've reviewed the CPS/CP and in general I like it but I do have some
concerns. My frame of reference is two-fold: First, how large is the
attack surface through which I as a bad guy might obtain a cert to
use for nefarious purposes? I would rate that as "moderate". Second,
how much damage can I cause with a fraudulently obtained cert and
private key? I rate this as "significant" based on my understanding
and interpretation of this doc. As my understanding improves I'll
probably change my mind, though.
One general problem I had was trying to figure out the right context,
roles, and such for some of the policies stated in the doc. For
example, the terms HARICA, HARICA PKI, HARI PKI, HARICA member of
organization, HARICA root, subCAs and such appeared in ways that
seemed confusing but maybe I am the one who's confused. In particular
it wasn't always clear to me which roles would be performed by a
"member organization" vs "the main" CA--and under which circumstances
and how many there are likely to be. Knowing this helps me better
judge the attack surface and damage potential.
We will try to make these terms clearer in a future revision. For this
review, please consider the following which might make things more clear:
"HARICA" is the "organization" that runs, administers, manages,
oversees the "HARICA PKI". HARICA Root and all subCAs are centrally
managed. We searched for the term "HARI PKI" in our CP/CPS but did not
get a hit. HARICA members are Greek Academic and Research Institutions
signing a certain MoU <http://www.harica.gr/documents/MoU-EN.pdf>,
which is available at http://www.harica.gr/procedures. You may
consider this as an "affiliation", as defined in section 1.6.1. HARICA
members (as Institutions) have physical persons (students, faculty,
staff, researchers and so on) under their "supervision".
We did not find the term "the main" referring to a CA. We do have a
"Central RA" that verifies identity, email ownership and control over
domains.
...snip...
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
