On 11/08/2017 15:39, Policy Authority PKIoverheid wrote:
2. Why did DDY not implement the serial number entropy as required by the 
Baseline Requirements?
3. Was this detected by the auditor? If not, why not?


DDY concluded wrongly that ballot 164 was not applicable for them since the use 
of sequential serial numbers is not a security risk when used in conjunction 
with the SHA-256 with RSA encryption certificate signing scheme.
Non-compliance with this requirements wasn’t noticed by the auditor because DDY 
didn’t include the specific requirement in their Statement of Applicability 
(reason: see the answer on question 2). ETSI EN 319 403 (which determines the 
requirements for conformity assessment bodies) is not clear about who 
determines the scope of an audit. The auditor’s interpretation was that the 
client (DDY) had to determine the scope of the audit (based on their Statement 
of Applicability). This will be mitigated for future audits with new measure 4.

(apologies if this is a dumb question...)

Can Mozilla / the BRs / whatever enforce making this [ie who determines the scope of the audits] explicit so issues don't get missed because the CA/TSP/subCA/intermediates and/or auditor mistakenly believe some items don't apply? Could we standardize/require some of this "Statement of Applicability" stuff to be a superset of the BRs, applicable RFCs, etc. ?

Or is that going to be useless either because whatever requirements on audits/auditors that Mozilla / the BRs would suggest get "trumped" by ETSI or other rules we can't (directly) influence, or because there are so many possible permutations of applicability/scope that trying to specify them in some way defeats the point, in that it would cause more rather than less confusion?

(just trying to figure out if there is some way we can avoid a reoccurrence of confusion with other issuers and/or auditors)

~ Gijs
dev-security-policy mailing list

Reply via email to