Operating a technically unconstrained issuing CA, Siemens CA (aka TSP) does something very similar in case a new CA is necessary:
* In an audited ceremony based on the operational and technical controls audited in the last annual audit a key pair is generated on one of the HSMs * A CSR is constructed and sent to our cross signing partner, together with the witness report of the auditor, filled with all the information required by Microsoft in the Audit Cover Letter Template * The cross signing partner checks the report and creates the certificate for the issuing CA After receiving the new certificate we update our CPS Only after the new CPS is published certificates are issued In the next annual audit the new CA is part of the normal audit. So I would recommend to choose a combination of options #1 and #2. With best regards, Rufus Buschart Siemens AG GS IT HR 7 4 Hugo-Junkers-Str. 9 90411 Nuernberg, Germany Tel.: +49 1522 2894134 mailto:rufus.busch...@siemens.com www.siemens.com/ingenuityforlife -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+rufus.buschart=siemens....@lists.mozilla.org] On Behalf Of Bruce via dev-security-policy Sent: Mittwoch, 28. März 2018 23:38 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Audits for new subCAs Entrust does the following: - Each subCA certificate is created through a audited ceremony. The auditor creates a report indicating the key ID and the CPS which was used for key generation. - When it is time for the subCA to go into production, an intermediate certificate is issued from a root. The intermediate certificate will meet the requirements of the CPS and the BRs if applicable. - The subCA can now issue certificates. The end entity certificates will have a certificate policy which is stated in the CPS. As such, issuing a certificate is an assertion that the subCA is issuing in accordance with the certificate policy and CPS. - The new subCA is compliance audited at the next time in our annual audit cycle. Note the new subCA is operated the same as all other CAs meeting the same certificate policy. I would note that if there was a significant change such as data center location or new certificate policy, then we may want to consider a point-in-time readiness assessment. I think that all CAs required a point-in-time readiness assessment, before we started to issue EV certificates. I suppose that I am stating that I support option 1 as I think the option 2 attestments are already covered. However, option 3 may be required for a new data center or a policy which has not been previously audited. Thanks, Bruce. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy