> > For the kind of RA that only does specific relevant parts of validation > > (a "traditional" RA), the suggested policy as written would "simply" > > require the CA to set up and maintain one (set of) subCAs for each of > > their RAs, while your rephrasing as a ban on RA/DTP relationships would > > impose the full cost of a formal WebTrust (etc.) audit on RAs that only > > perform a specific limited function that could be audited much cheaper, > > provided the CA systems were set up to have little dependency on > > certificate specific activities and security at the RAs. > > > > This misunderstands Policy 1 then, and is perhaps the substance of our > unintentional disagreement. > > if a CA sets up and maintains one (set of) sub CAs for each RA, then each > of those subCAs would need to be audited. This is no different than the > existing requirements, within the Baseline Requirements, that each DTP be > audited. I would highlight Section 8 of the Baseline Requirements for you, > and ask that you clarify where, under the existing policies (e.g. ignoring > any policy proposal) you believe there is any provision for allowing a DTP > to be "audited much cheaper".
Ryan, Section 8.4 (cited below), as worded today, does not mandate a DTP to go through an audit. Rather, it requires the CA to perform additional out-of-band checks or perform the domain/IPAddress validation (3.2.2.4 & 3.2.2.5) by itself, when the DTP is not audited as per 8.4 (btw BR incorrectly refers to section 8.1 for audit schemes). It allows (or doesn't prohibit) the DTP to perform other validation checks in 3.2.2 (while the CA performs 3.2.2.4/5) without going through an WebTrust/ETSI audit, and a CA may choose to perform an internal audit of the DTP's process vs forcing them through a WebTrust/ETSI audit. There are other checks the CA must perform, but as far as I can tell there isn't any requirement that states a "DTP MUST go through an audit" in the BRs. "If a Delegated Third Party is not currently audited in accordance with Section 8 and is not an Enterprise RA, then prior to certificate issuance the CA SHALL ensure that the domain control validation process required under Section 3.2.2.4 or IP address verification under 3.2.2.5 has been properly performed by the Delegated Third Party by either (1) using an out-of-band mechanism involving at least one human who is acting either on behalf of the CA or on behalf of the Delegated Third Party to confirm the authenticity of the certificate request or the information supporting the certificate request or (2) performing the domain control validation process itself. If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement." _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy