On Tue, Mar 7, 2017 at 6:01 PM, Kathleen Wilson via dev-security-policy < [email protected]> wrote:
> 1) Domain Validation Methods > For the CA, I recommend reviewing section 3.2.2.4 of version 1.4.1 of the > CA/Browser Forum’s Baseline Requirements, because many of the relevant > subsections are currently redacted in version 1.4.2 due to ongoing > discussions in the CAB Forum. Nevertheless, the CA can review version 1.4.1 > to further bolster their domain validation policies and practices. > > I am hoping that the CAB Forum will resolve the issues that caused the > redaction of some sections of the BRs, such that a new version will be > published by the end of March that has the same level of information about > domain validation as version 1.4.1 of the BRs. > > Gerv and I plan to send a CA Communication around the end of March, and > plan for one of the action items to require that CAs update their CP/CPS, > because it should be updated annually. And also to update their domain > validation practices and policies. > While this applies to the overall process of domain validation, I was calling this specific matter out as it was the original motivation for the work presented three years ago, in part due to the security concerns Google raised to the Forum regarding it. That is, the practical demonstration of control for the server is one of the non-redacted/placeholder versions, so the description of file-based control should at least be reformed to this degree of 3.2.2.4.6, since it's hard to justify any other file-based control meets the equivalent level of security under 3.2.2.4.11 > 2) Qualified audit statement listing serial number generation deficiencies > for the time period from September 30, 2016 to when it was fixed by the CA. > > There is a lag between when a BR is updated/adopted, and when the audit > principles/criteria are adopted. So, I am not convinced that an audit > during that time period would cover that particular control, and list it as > an exception in the audit statement. > Correct, while it's unlikely that a specific illustrative control and/or new principle will be introduced on this regard, even when the WebTrust for CAs - SSL Baseline Requirements are updated to incorporate that version of the Baseline Requirements, it is a failure with respect to the CA's statement that the policies and practices outlined in the latest published version of the Baseline Requirements supercede that of the CP/CPS , which is where the qualification would be derived from. That is, CAs are expected to conform to the Baseline Requirements as they're updated/adopted, but there may not be auditable controls attached to them until one or two years after the passage, depending on the WebTrust TF or ETSI meeting to incorporate such requirements explicitly. However, they are all normative implicitly, per the stated adherence to the Baseline Requirements. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
