On Tue, May 31, 2016 at 9:59 AM, Nick Lamb <[email protected]> wrote: > That said, so far as I understand the Mozilla requirement is actually that > such intermediates be disclosed _and audited_. The present disclosure from > Symantec asserts that this intermediate is covered by the same audit as for > all their other intermediates, but the certificate was actually issued _long > after_ the period that audit covers, so this assertion by Symantec is > nonsense. We need to get CAs to be honest with us. If the situation is that > you've got no audit coverage for an intermediate, you need to _fix_ that, not > just pretend it's covered by an audit report that doesn't even mention the > intermediate and was written months before it existed.
Nick, I don't think that is an accurate assertion. My understanding is that there are generally yearly audits that cover all the CAs operated by a given entity. The audit includes controls around issuance and operation of subordinate CAs. If the entity is using the same controls for all their CAs then issuing a new subordinate doesn't change anything. It will be reported upon in their next audit statement. This has come up before and I'm still not clear what alternatives exist. WebTrust requires that the minimum reporting period is 60 days and it generally takes a while for the auditor to do the field work and write the report (say 90 days). So, even if there was a requirement to have a unique audit for a new subordinate, you would be looking at 4-5 months of operation before there is a report. How would you prefer to see new CA-operated subordinates handled? Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
