On Wed, Mar 8, 2017 at 1:29 AM, Santhan Raj via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > Ryan, > > Section 8.4 (cited below), as worded today, does not mandate a DTP to go > through an audit. Rather, it requires the CA to perform additional > out-of-band checks or perform the domain/IPAddress validation (3.2.2.4 & > 3.2.2.5) by itself, when the DTP is not audited as per 8.4 (btw BR > incorrectly refers to section 8.1 for audit schemes). > > It allows (or doesn't prohibit) the DTP to perform other validation checks > in 3.2.2 (while the CA performs 3.2.2.4/5) without going through an > WebTrust/ETSI audit, and a CA may choose to perform an internal audit of > the DTP's process vs forcing them through a WebTrust/ETSI audit. > > There are other checks the CA must perform, but as far as I can tell there > isn't any requirement that states a "DTP MUST go through an audit" in the > BRs. > > "If a Delegated Third Party is not currently audited in accordance with > Section 8 and is not an Enterprise RA, then prior to certificate issuance > the CA SHALL ensure that the domain control validation process required > under Section 3.2.2.4 or IP address verification under 3.2.2.5 has been > properly performed by the Delegated Third Party by either (1) using an > out-of-band mechanism involving at least one human who is acting either on > behalf of the CA or on behalf of the Delegated Third Party to confirm the > authenticity of the certificate request or the information supporting the > certificate request or (2) performing the domain control validation process > itself. I think we may read this different, Santhan. Either the issuing CA must themselves verify the information present in the request - in which case, the DTP acts as an information aggregator, effectively, and the CA is performing the verification function - or if the DTPs validation of the information is to be trusted, then they MUST undergo an audit. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
