Kathleen, Gerv, Richard and m.d.s.p,

In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what is required by Mozilla.  I
suspect this might also span to ETSI audit documentation, but I don't
know the ETSI process as well, so will leave it to some else to
determine if there is confusion there.

The first part of the confusion comes from the scope of the audit.
When engaging an auditor to provide attestion services, it is up to
the organization to define the scope of the audit.  For audits
utilizing the WebTrust criteria, the scope could be all parts of the
criteria.  According to auditors I have spoken with, the report will
indicate which portions of the criteria were in scope for the audit by
including a statement of items in scope on the management assertion.
If the assertion does not include an item, or the auditor does not
express an opinion about the item, then it should be assumed to be out
of scope.

I have seen a number of reports that do not include all of the
criteria be in scope.  Specifically, many reports do not provide an
opinion on criteria 7 ("Subordinate CA Certificate Life Cycle
Management") of the Trust Services and Principles and Criteria for
Certification Authorities.  Given the emphasis on subordinate CAs in
the Mozilla policy, it would seem that this should be required for any
CA which does not the zero path length constraint.  The current
inclusion policy item 11 presumably includes this already, but does
not specifically state that all parts of the listed criteria must be

The second item of confusion seems to be which CA certificate subjects
must be audited.  A number of CAs only include the subjects of CA
certificates directly included in the Mozilla products and do not
include the subjects of subordinate CA certificates.  My impression is
that there should be a report clearly covering each of subject of a
unconstrained CA certificate in the heirarchy, as described in item 8
of the inclusion policy.  This includes a Baseline Requirements report
for any unconstrained CA, even if the CA is not intended to be used
for server authentication ("SSL") certificates.

What is Mozilla's expectation?  Do CAs need to ensure that all
components of the criteria are included in their report and ensure
that all unconstrained subordinates are identified as being covered by
the reports?

dev-security-policy mailing list

Reply via email to