On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Thanks everyone for your input on this topic. I'm hearing consensus that we > should not require a newly issued subordinate CA certificate to appear on > an audit statement prior to being used to sign end-entity certificates. > There's a little danger here in this phrasing. If a CA generates a key, has a report, and then places it in a safe for 3 years before issuing the first cert, I would think you'd want some reports covering this. In particular, what are the controls around the safe that were protecting the key? How do we know they didn't simply stow it on a USB stick in someone's unlocked desk? etc > This is something that could be clarified in our policy with a statement > such as "Newly issued subordinate CA certificates MUST appear on the CAs > next period-of-time audit statements" in section 5.3.2. > This mitigates one window of vulnerability - reducing the span from multiple years to, at most, one year. > It's not yet clear to me if we should require something more than > disclosure of the actual certificate because: > * All end-entity certificates are already required to contain "A Policy > Identifier, defined by the issuing CA, that indicates a Certificate Policy > asserting the issuing CA's adherence to and compliance with these > Requirements" (BR 7.1.2.3). Isn't this enough to assert the controls > applied to the subCA certificate? > * I'm not opposed to explicitly stating that any newly issued subCA > certificate MUST appear in the appropriate CP/CPS before being used, but > isn't that obvious? > Obvious for who? It's not obvious CAs are doing it, no. For relying parties, it's equally not obvious, but presumably being inferred by trying to map the policy OID back. > * The amount of effort needed to verify compliance with a new requirement > for a management assertion (option #2) is significant and could outweigh > the benefit we receive from those documents. > * Peter's sample assertion letter [1] includes a link to an auditor's key > generation ceremony report. Can this type of audit report be shared > publicly? If so, those might be a reasonable thing to require via a new > field in CCADB. > I think, for new CAs, the KGC report and the stated CP/CPS, combined with ensuring that the next audit that covers the period of time stated on the KGC report includes that certificate, seems like a reasonable balance. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
