A reasonable control can include contractual controls, thus 6.6 is solved simply via contract with the CA. Section 8.7 does give some control (and I missed that when going through this the first time), but the audit criteria is only that the CA reviews a 3% sample. As long as I documented that I review the RA practices and did the 3% review (regardless of the results), then the CA escapes oversight on its validation process.
From: Wayne Thayer <[email protected]> Sent: Wednesday, April 18, 2018 1:18 PM To: Jeremy Rowley <[email protected]> Cc: mozilla-dev-security-policy <[email protected]> Subject: Re: RAs and the BRs On Tue, Apr 17, 2018 at 9:21 PM, Jeremy Rowley via dev-security-policy <[email protected] <mailto:[email protected]> > wrote: There is a way to get zero-validation certs, totally legit, under the BRs. Currently, the BRs permit pretty much free delegation of Registration Authorities for everything except domain verification. Without RA audit requirements or even a requirement that the CA monitor/control the RA, the cynical-side of me doubts whether the verification is enforced without the CA first receiving a third-party complaint. Section 1.32 permits free RA delegation if the verification requirements are met by the process as a whole and that a contract exist between the delegated third party to do the following:"(1) Meet the qualification requirements of Section 5.3.1, when applicable to the delegated function; (2) Retain documentation in accordance with Section 5.5.2; (3) Abide by the other provisions of these Requirements that are applicable to the delegated function; and (4) Comply with (a) the CA's Certificate Policy/Certification Practice Statement or (b) the Delegated Third Party's practice statement that the CA has verified complies with these Requirements.". Essentially, as long as there is a) a contract between the CA and RA, and b) the CA is performing domain verification (and c) no one complains), the RA is free to do whatever the RA deems appropriate, permitting the CA to circumvent the BRs and audit oversight. There's no requirement that the CA audit the RA's role in the verification process or that the RA provide any reporting to the CA or auditors. BR section 1.3.2 defines a Registration Authority as a Delegated Third Party. Section 8.7 says: Except for Delegated Third Parties that undergo an annual audit that meets the criteria specified in Section 8.1, the CA SHALL strictly control the service quality of Certificates issued or containing information verified by a Delegated Third Party by having a Validation Specialist employed by the CA perform ongoing quarterly audits against a randomly selected sample of at least the greater of one certificate or three percent of the Certificates verified by the Delegated Third Party in the period beginning immediately after the last sample was taken. The CA SHALL review each Delegated Third Party’s practices and procedures to ensure that the Delegated Third Party is in compliance with these Requirements and the relevant Certificate Policy and/or Certification Practice Statement. The CA SHALL internally audit each Delegated Third Party’s compliance with these Requirements on an annual basis. The WebTrust BR audit criteria include a number of controls related to CA oversight of Delegated Third Parties, including 6.6: The CA maintains controls to provide reasonable assurance that the CA internally audits each Delegated Third Party’s compliance with the Baseline Requirements on an annual basis. Combined with method 1, there is no obligation the CA actually do anything to vet the customer or obtain any evidence that the customer even exists. As you all know, method 1 requires only that the CA confirm the WHOIS information matches the applicant. As long as the WHOIS information matches, problem solved. As noted above, the RA is not actually required to do any validation (just say that they do) so if the RA passes over the WHOIS name as the verified information, the cert will issue without a second glance. I realize that method 1 and method 5 are going away (for good reason), but that doesn't happen until August. I'd be interested in seeing whether someone can get a cert in this manner from a CA that supports RAs. Jeremy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
