Moudrick, Thanks for clearly breaking down your concerns. Based on this, and the other messages in this thread, I don't think that some of these are issues under the Mozilla policy. Please see my comments below.
On Tue, Jan 4, 2022 at 11:00 PM Moudrick M. Dadashov <[email protected]> wrote: > > Disclosing shared CA resources > > I’m looking for the CA's human/material resources that are shared with third > parties (irrelevant to ownership), in your response I see only the names of > three companies. > > > The audit report > > You explained that "Audit covered all relevant company parts under "Telia > Company AB" including "Telia Finland Oyj". I still can't understand why this > fact is hard to understand.", the problem here is that we need a single legal > entity as the CA cooperates with other PKI participants - these roles must be > disclosed clearly (no matter who owns what). > > If Telia Finland Oyj is the CA, then all others, including Telia Company AB, > should be PKI participants. You need to disclose this. In the meantime the > audit report states: > > "Telia makes use of external registration authorities for subscriber > registration activities, as disclosed in Telia's business practices. Our > procedures did not extend to the controls excercised by these external > registration authorities." > > So, we have two different audit scenarious here: > > a) as the audit report is issued to the CA known as Telia Company AB, then > the other PKI participants - Telia Finland Oyj and Cygate AB need to be > audited according to their roles. > > b) in case if Telia Finland Oyj is audited as the CA, then the other two PKI > participants - Telia Company AB and Cygate AB need to be audited according to > their roles. > > Again, this has nothing to do with ownership relationship. Mozilla has never required that all legal entities be disclosed or receive separate WebTrust audits when the CA operations are under common management and governance. Many of the WebTrust audit reports implicitly cover multiple legal entities simply by indicating operations in multiple countries. A few WebTrust audit reports that I checked including DigiCert, Sectigo, Google, and GlobalSign, all indicate operations in more than one country. As most countries require that people who work in that country be employed by a legal entity in that country, I fully expect that all these audit reports cover multiple legal entities. I do not believe that what Telia is presenting is materially different from what other CAs present. If Mozilla wants to have all the legal entities involved listed in the audit report, that is something that should be included the Mozilla policy; this would need to be carefully considered, as it does not only impact multi-country CAs, but also CAs that lease data center space, contract other companies to provide physical security, or perform other actions covered under the audit. > Separation of CP and CPS provisions > > You explain that "There are no requirements to specifically separate CP and > CPS texts.", according to RFC content of these two documents should be > different. I’m ok with the combined document CP/CPS (but not content!) - I > can’t see which part of combined document should be considered CP. At least > section/page numbers could help. Mozilla does not require that a CP exist at all. It is fully acceptable to only have a CPS - that is a single document that lays out the practices of the CA. > Audit scope > > Sorry, I cant accept your arguments, see The audit report above. > > ******************** > > > To sum-up, obviousely we are in a loop, I don’t see any reason to change my > opinion (see 2021-12-29 email). > > Thanks, > M.D. >From my perspective, the issues you raise are not issues under current Mozilla policy. Thanks, Peter (my personal view and does not necessarily reflect the views of anyone else) -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND-k7OVsBuFCCUArxohrkjEMRowVWxAzPYO-cbsBNr%3DerA%40mail.gmail.com.
