We have DTP and RA roles slated as part of the validation WG discussion, but only as they relate to validation.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, March 16, 2017 7:16 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec: Next Steps On Thu, Mar 16, 2017 at 6:01 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 09/03/17 13:32, Ryan Sleevi wrote: > > (Wearing Google hat only for this statement) Have you considered > > having this discussion in the CA/Browser Forum? > Google > > had planned to discuss this very topic at our upcoming F2F about how > > to address this, and would be very interested in collaborating with > > Mozilla > on > > this. I mentioned this recently to Kathleen at the WebTrust TF > > meetings, but apologies for not mentioning to you as well. > > This sounds like a good idea. Do we want to get this added in an open > slot? There may still be time. > Unconference future discussion. If CAs aren't interested in it, and it doesn't get discussed, then that seems like a suitable signal to discuss in the browser policies, doesn't it? > > I don't understand why you > > believe it's relevant the act of "Mozilla requiring disclosure of > > the audits". Can you help me understand where, in the policy, that's > required? > > I'm not sure where your text in quotes comes from, and nor can I work > out the referent of "it", so I don't understand this question. > The quoted text was attempting to summarize the following paragraph from you: """No, because in the case of a sub-CA, we require audits. And when we receive them, if they were done by unqualified parties, the CA would need to flag that, and we would make a judgement about that party's suitability at the time. The issue here arises that, because of the way things are set up, these RA's audits were not submitted to Mozilla, and so Symantec didn't have to resolve the Schrodinger's Cat of (qualified|not qualified and need us to make a judgement).""" The question here is that it seems you have hinged the acceptability/unacceptability of the auditor on the basis of whether or not it was required to be disclosed. Or, put differently, it sounds as if you suggest the only obligation a CA has to ensure their DTP auditors are qualified for the task at hand is if, and only if, Mozilla requests those audits. In the absence of that request, the CA is allowed to make their own individual determination. Further, it seems that you are suggesting that if a CA makes that determination, and it's incorrect, that's not a failure upon the CAs part, because they made 'a decision', and the relevant portions of Mozilla policy only apply to the 'next' audit. In effect, it makes the question of 'qualified' auditor one which can never look retrospectively to prevent issues or instill a duty of care, and it only applies forward thinking, to the 'next' audits. Or, put differently, it sounds as if you're suggesting that Symantec, having made a determination of qualified without input from Mozilla, has sufficiently abided by Mozilla's policy. I'm not sure that's a consistent read with the goals or policy stated. Rather, by making that determination without input from Mozilla, Symantec has instead taken on full liability for that audit. If, as in this case, evidence appears that suggests the auditor is not qualified, then the root issue rests with Symantec for not ensuring that the auditor was qualified. Similarly, all other CAs who are accepting audits from third-parties (whether DTPs or sub-CAs), and which are not ensuring those meet the definition of qualified, similarly accept risk of violation. That risk can be mitigated - for example, showing that the auditor is appropriately licensed at the time they conducted the audit, rejecting audits that are clearly problematic - but it's a risk born through exercising the capability to delegate. Put one last way (since this is such a thorny issue), I read your reply in the above quoted text to say "Mozilla requires that the CA make a decision. But it doesn't have to be a right one, and it doesn't have to use the same data we would." I'm trying to push back on that, which is every CA has an obligation to make the Right Decision - they have the tools at their disposal to do so, but uncertainty or perceived risk can and should only be mitigated by public consultation before - not after. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy