On 11/08/2017 15:39, Policy Authority PKIoverheid wrote:
2. Why did DDY not implement the serial number entropy as required by the
3. Was this detected by the auditor? If not, why not?
ANSWER ON QUESTION 2:
DDY concluded wrongly that ballot 164 was not applicable for them since the use
of sequential serial numbers is not a security risk when used in conjunction
with the SHA-256 with RSA encryption certificate signing scheme.
ANSWER ON QUESTION 3:
Non-compliance with this requirements wasn’t noticed by the auditor because DDY
didn’t include the specific requirement in their Statement of Applicability
(reason: see the answer on question 2). ETSI EN 319 403 (which determines the
requirements for conformity assessment bodies) is not clear about who
determines the scope of an audit. The auditor’s interpretation was that the
client (DDY) had to determine the scope of the audit (based on their Statement
of Applicability). This will be mitigated for future audits with new measure 4.
(apologies if this is a dumb question...)
Can Mozilla / the BRs / whatever enforce making this [ie who determines
the scope of the audits] explicit so issues don't get missed because the
CA/TSP/subCA/intermediates and/or auditor mistakenly believe some items
don't apply? Could we standardize/require some of this "Statement of
Applicability" stuff to be a superset of the BRs, applicable RFCs, etc. ?
Or is that going to be useless either because whatever requirements on
audits/auditors that Mozilla / the BRs would suggest get "trumped" by
ETSI or other rules we can't (directly) influence, or because there are
so many possible permutations of applicability/scope that trying to
specify them in some way defeats the point, in that it would cause more
rather than less confusion?
(just trying to figure out if there is some way we can avoid a
reoccurrence of confusion with other issuers and/or auditors)
dev-security-policy mailing list