On 02/04/2018 17:12, Julian Inza wrote:
El sábado, 31 de marzo de 2018, 3:01:29 (UTC+2), Wayne Thayer escribió:
On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi <[email protected]> wrote:
I think, for new CAs, the KGC report and the stated CP/CPS, combined with
ensuring that the next audit that covers the period of time stated on the
KGC report includes that certificate, seems like a reasonable balance.
I'll add this to the list for 2.6 and propose some language in a new
"Policy 2.6 Proposal" thread.
Thanks,
Wayne
There are also some situations in that a root CA in an organization is issuing
a Certificate for a Sub-CA in a different organization.
In my opinion, both organization should perform an audit conforming EN 319
411-2.
An interesting point would be to identify which information of the CAR
(Conformity Assessment Report)is of interest for the Country Supervisory Body
and wich is of interest for Mozilla or other Browsers aligned with CAB Forum.
One is key element to be included in the TSL and the other to browser (for
instance Mozilla) related Root certificates programs.
When a CA issues a SubCA for another organization, the common situation
is one of:
A. The SubCA is technically constrained to identities validated by the
parent CA as belonging exclusively to that other organization. This
should be seen as a variant of issuing wildcard certificates, but with
more stringent checks. Requiring an audit at the parent CA would be
pointless overkill. Current Mozilla Policy seems to handle this case
well.
B. The SubCA is actually the root of another audited CA (cross signing).
Here the traditional and sufficient requirement is a full audit of the
other CA, including that other CA going through the new CA process
soon before/after the cross signing, but benefiting from the cross-
signature until relying parties receive the updated root store that
trusts that other CA.
So in neither case do I see a need to re-audit the parent CA.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
