On 10/31/19 2:51 PM, Ryan Sleevi wrote:
Thanks, Kathleen. Snipped the other changes (which sound good), and a few
replies inline below.
On Thu, Oct 31, 2019 at 4:39 PM Kathleen Wilson via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
2. Full name of the CA that was audited;
3. SHA-256 fingerprint of each root and intermediate certificate that
was in scope of the audit (see format specifications below);
Microsoft policy actually requires the disclosure of the full hierarchy
(c.f.
https://docs.microsoft.com/en-us/security/trusted-root/program-requirements
3.4)
This may help, or harm, the approach used with ALV. There is benefit in
disclosing what is known-and-out-of-scope, but this may cause ALV to
believe that it was in-scope. I've seen CAs disclose explicitly what's
out
of scope (e.g. Amazon), and I find this hugely valuable. You can see the
proposed wording from the BR is actually more explicit:
"""the full PKI hierarchy of all certificates that are capable of being
used to issue new certificates, identified by Distinguished Name and the
SHA-256 fingerprint of each and every certificate, and including all
Roots,
Subordinate CA Certificates, and Cross Certificates, clearly identifying
which were certificates (and associated keys) were in-scope and
out-of-scope of the audit;"""
I will have to look into this. For example, does Microsoft's policy say
that the full CA hierarchy must be disclosed in the audit statement? Or
does their policy just mean that the full CA hierarchy must be disclosed
to Microsoft, which does not necessarily mean public disclosure, and
does not necessarily mean via the audit statement.
Also, I believe that ALV assumes that the SHA-256 fingerprints found in
audit statements are for certs that were in scope of the audit. So the
approach of also listing the SHA-256 fingerprints of certs that were not
in scope might break ALV.
So, it may turn out that we need another requirement saying that SHA-256
fingerprints for certs not in scope of the audit must not be in the
audit statement.
It's unclear Microsoft's position here.
https://docs.microsoft.com/en-us/security/trusted-root/audit-requirements B
indicates that the CA MUST include the entire hierarchy /in/ the scope of
the audit, so it seems the answer is "Yes", but that's not entirely
followed.
The WebTrust Illustrative Guidance provides guidance on how to do this
(e.g. for the non-performance of activities).
The reason I highlight this is that it significantly reduces the
ambiguities that we're seeing with Intermediate ALV and the questionable
reissuance of reports, and/or CA-defined AUP for retroactive reports.
Forcing the disclosure of the explicit scope - and the consideration -
resolves the ambiguity that we presently see, which is "Was it in scope,
and the auditor looked and forgot to say this, or was it out of scope, and
the auditor never looked"
From Microsoft:
1) Quote: "We do not require CAs to disclose their hierarchy within the
audit letter itself."
2) Summarized: ALV tries to find a match in the Audit Letter for the
SHA256 thumbprint that is sent by CCADB. Listing thumbprints that were
out of scope within an audit letter could cause ALV to produce
inaccurate results. It would be good to state that audit letters MUST
NOT contain the SHA-256 thumbprints for certs that were out of scope.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
