On Thu, Apr 5, 2018 at 5:20 AM, Dimitris Zacharopoulos via dev-security-policy <[email protected]> wrote:
> On 5/4/2018 12:02 πμ, Wayne Thayer via dev-security-policy wrote: > >> In a recent discussion [1] we decided to clarify the audit requirements >> for >> new subordinate CA certificates. I’ve drafted a change that requires the >> new certificate to appear in the next periodic audits and in the CP/CPS >> prior to issuance: >> >> https://github.com/mozilla/pkipolicy/commit/09867ef4a0db3b1c >> ab162930c0326c84d272ec10 >> >> We also discussed requiring root key generation ceremony (RKGC) audit >> reports, but I have since realized that the BRs (section 6.1.1.1) only >> require these audit reports for new root certificates. I’m not convinced >> that we should begin requiring an auditor’s report every time a new >> subordinate CA certificate is created. >> >> I would appreciate everyone's comments on this proposed change. >> >> This is: https://github.com/mozilla/pkipolicy/issues/32 >> >> [1] >> https://groups.google.com/d/msg/mozilla.dev.security.policy/ >> CAaC2a2HMiQ/IKimeW4NBgAJ >> ------- >> >> This is a proposed update to Mozilla's root store policy for version >> 2.6. Please keep discussion in this group rather than on GitHub. Silence >> is consent. >> >> Policy 2.5 (current version): >> https://github.com/mozilla/pkipolicy/blob/2.5/rootstore/policy.md >> _______________________________________________ >> dev-security-policy mailing list >> [email protected] >> https://lists.mozilla.org/listinfo/dev-security-policy >> >> > I will copy the proposed change here for convenience: > > " > > 1. MUST be audited in accordance with Mozilla’s Root Store Policy. If > the subordinate CA has a currently valid audit report at the time of > creation of the certificate, it MUST appear on the subordinate CA's > next periodic audit reports. > 2. MUST be publicly disclosed in the CCADB by the CA that has their > certificate included in Mozilla’s root program. The CA with a > certificate included in Mozilla’s root program MUST disclose this > information within a week of certificate creation, and before any > such subordinate CA is allowed to issue certificates. All disclosure > MUST be made freely available and without additional requirements, > including, but not limited to, registration, legal agreements, or > restrictions on redistribution of the certificates in whole or in part. > 3. MUST be added to the relevant CP/CPS before issuing certificates. > > " > > I kind of disagree with 3. The new Subordinate CA Certificate MUST be > added to CCADB (per 2.). It MUST be covered by the audit (per 1.) and show > up in the next report. If a Subordinate CA is operated by the Root > operator, a change in the CP/CPS could probably be just an addition of the > Distinguished Name and a SHA fingerprint. However, CPS changes require > administrative work and several levels of approval which IMHO is not worth > the effort for such an addition. I don't see such a big value for 3. > compared to 1. and 2. > Do you see this as a frequent occurrence such that the overhead of performing this is greater than the value derived by the community in having this information? > Consider the case where you have a Subordinate CA Certificate that you > need to update because you want to change the hashing algorithm (SHA1 --> > SHA256), or change the key size, or renew. This would lead to a new subCA > Certificate with CN "My Subordinate CA Certificate R2", "My Subordinate CA > Certificate R3" and so on. The controls would be exactly the same as the > previous subCA Certificate. > Except how does the community know and verify that those controls are the same? How does the community know and verify if those controls change (e.g. the subordinate CA is immediately sold to a third-party and/or transferred to them) > The 3rd requirement might make more sense for externally operated > Subordinate CAs. According to BRs 6.1.1.1, Key Pairs that are generated for > SubCAs not to be used by the Root CA operator or an Affiliate (meaning an > externally operated Subordinate CA), MUST be witnessed by a Qualified > Auditor (or record the ceremony and get an opinion letter afterwards). It > seems that the BRs require some special treatment when a SubCA Key Pair is > generated for an externally operated entity. Is it worth the effort to > reflect a similar distinction in the Mozilla Policy? > That covers the key generation - but if the subCA is first generated for the CA, and then later transferred to a third-party - which is something that has happened - it's a loophole in both policies and practices. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
