On Fri, Sep 23, 2016 at 6:22 AM, Jakob Bohm <[email protected]> wrote: > On 23/09/2016 14:29, Kurt Roeckx wrote: >> >> On 2016-09-23 00:57, Peter Bowen wrote: >>> >>> Kathleen, Gerv, Richard and m.d.s.p, >>> >>> In reviewing the WebTrust audit documentation submitted by various CA >>> program members and organizations wishing to be members, it seems >>> there is possibly some confusion on what is required by Mozilla. I >>> suspect this might also span to ETSI audit documentation, but I don't >>> know the ETSI process as well, so will leave it to some else to >>> determine if there is confusion there. >> >> >> So at least 1 thing I miss in those audit reports is which CAs are >> covered. If you look at the CAs they disclosed, how can we be sure that >> the audit actually covers that CA? I think the report should cover at >> least all root and intermediate CAs that are required to be disclosed by >> Mozilla. >> > > Except those that are covered by separate Audit reports (also > submitted). Examples would include cross-signed copies of other root > CAs (which already submit audit reports), as well as CAs covered by > submitted audit reports of other parts of the same CA organization (for > example, StartCOM might be cross-signed by WoSign but audited > separately, and the WoSign EV SubCA is audited separately under > stricter rules). > > For such certificates it would be enough for the parent CA audit report > to list them and state that separate audit reports should be checked > for those (the auditor of the parent CA audit report may not know the > outcome of the the subCA audit when issuing his report on the parent > CA).
The lack of inclusion is the implication that you need to do so. There could be a new criteria that the CA has publicly disclosed (via XXX?) all CA certificates it has signed, but this is not currently a WebTrust criteria. > Of cause the audit of the parent CA should still audit the > controls that prevent issuing SubCA certificates that are unlikely to > be compliant, regardless if those controls are "we only sign our own > in-house SubCAs using a multi-person signing ceremony" or "we sign any > SubCA that pays a fee and passes a full BR audit by Ernst, Young or > Deloite". Exactly the reason I finding it concerning when there is no statement of assurance of controls around issuance of subordinate CA certificates. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
