Thanks, Pekka Just in case, PKI participant is defined in RFC 3647 and should be disclosed in CA’s CPS, but don’t worry, we are having another do a-la Telia "industry standard".
Thanks, M.D. On Wed, Jan 5, 2022, 16:25 [email protected] < [email protected]> wrote: > Telia CA is legally operated by "Telia Finland Oyj" so that there is > common management within several Telia units. For Telia CA the partially > common management consists of three fully Telia owned affiliated companies: > "Telia Company AB", "Telia Finland Oyj" and "Cygate AB". In this case like > Peter said it is normal way to create only one audit report that covers > multiple legal entities simply by indicating operations in multiple > countries. This is what we have provided. > > I think that Moudrick is using term "PKI participant" like it would mean > "Delegated Third Party". But I think that is not the right term for Telia > CA. The best definitions I found for "third party" and "affiliate" are from > BR and it is clear that Telia CA case is the latter (not delegating > functions): > > Delegated Third Party: A natural person or Legal Entity that is not the CA > but is > authorized by the CA, and whose activities are not within the scope of the > appropriate > CA audits, to assist in the Certificate Management Process by performing > or fulfilling > one or more of the CA requirements found herein. > > Affiliate: A corporation, partnership, joint venture or other entity > controlling, > controlled by, or under common control with another entity, or an agency, > department, political subdivision, or any entity operating under the > direct control of a > Government Entity. > > All three listed Telia affiliates were included into Telia CA audit scope. > There are no non-audited Telia CA parts for TLS. In our Server CP/CPS 1.3.2 > we say that "All RA functions in this CPS are performed internally by > Telia. Telia will not delegate domain validation to be performed by a > third-party". On Telia client certificate process we define in our Client > CP/CPS how Enterprise RA may be used and that Telia Class 3 client > certificates (which are outside of Mozilla context) are using external RA. > I think that Enterprise RA is a normal concept on client certificates. I > can't see any problems in this either > > I hope that Mozilla now concludes if there is something that is against > Mozilla policies or not. I haven't yet found any relevant issues on this > discussion. I'm ready to improve our CPS or suggest new audit report > formulation next time if I get instructions how. Our new root should be > accepted soon so that we can replace the old one that has technical issues > (read audit report). > > keskiviikko 5. tammikuuta 2022 klo 14.28.53 UTC+2 [email protected] > kirjoitti: > >> Thanks, Peter >> >> "*Mozilla has never required that all legal entities be disclosed or* >> *receive separate WebTrust audits when the CA operations are under common >> management and governance.*" >> >> I'm afraid this is a different case - BTW so far nobody requested >> separate audits. >> >> The applicant - Telia Finland Oyj is a legal entity (with its own >> management) and the fact that its owned by another company (Telia Company >> AB) doesn't create any privileges for the latter, meaning that if the owner >> is a PKI participant, its roles, obligations need to be clearly disclosed. >> According to the audit report I quoted earlier, Telia Company AB is the CA. >> >> "I* do not believe that what Telia is presenting is materially different >> from what other CAs present*." >> >> The CA's you are refering to are legal entities doing CA business, this >> is not the case here - Telia Company AB and its affiliates are telcos/ISPs >> and from business point of view their income from the CA operations >> relative to their business is near 0%. So from the root program point of >> view this CA is unique. >> >> " >> *Mozilla does not require that a CP exist at all. It is fullyacceptable >> to only have a CPS - that is a single document that lays out the practices >> of the CA*." >> >> I'm sure you know better what Mozilla require, but I'm relying on the >> publicly available policy, see section 3.3 here >> >> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities >> >> Thanks, >> M.D. >> >> >> >> On Wed, Jan 5, 2022, 11:49 Peter Bowen <[email protected]> wrote: >> >>> Moudrick, >>> >>> Thanks for clearly breaking down your concerns. Based on this, and >>> the other messages in this thread, I don't think that some of these >>> are issues under the Mozilla policy. Please see my comments below. >>> >>> On Tue, Jan 4, 2022 at 11:00 PM Moudrick M. Dadashov >>> <[email protected]> wrote: >>> > >>> > Disclosing shared CA resources >>> > >>> > I’m looking for the CA's human/material resources that are shared with >>> third parties (irrelevant to ownership), in your response I see only the >>> names of three companies. >>> > >>> > >>> > The audit report >>> > >>> > You explained that "Audit covered all relevant company parts under >>> "Telia Company AB" including "Telia Finland Oyj". I still can't understand >>> why this fact is hard to understand.", the problem here is that we need a >>> single legal entity as the CA cooperates with other PKI participants - >>> these roles must be disclosed clearly (no matter who owns what). >>> > >>> > If Telia Finland Oyj is the CA, then all others, including Telia >>> Company AB, should be PKI participants. You need to disclose this. In the >>> meantime the audit report states: >>> > >>> > "Telia makes use of external registration authorities for subscriber >>> registration activities, as disclosed in Telia's business practices. Our >>> procedures did not extend to the controls excercised by these external >>> registration authorities." >>> > >>> > So, we have two different audit scenarious here: >>> > >>> > a) as the audit report is issued to the CA known as Telia Company AB, >>> then the other PKI participants - Telia Finland Oyj and Cygate AB need to >>> be audited according to their roles. >>> > >>> > b) in case if Telia Finland Oyj is audited as the CA, then the other >>> two PKI participants - Telia Company AB and Cygate AB need to be audited >>> according to their roles. >>> > >>> > Again, this has nothing to do with ownership relationship. >>> >>> Mozilla has never required that all legal entities be disclosed or >>> receive separate WebTrust audits when the CA operations are under >>> common management and governance. Many of the WebTrust audit reports >>> implicitly cover multiple legal entities simply by indicating >>> operations in multiple countries. A few WebTrust audit reports that I >>> checked including DigiCert, Sectigo, Google, and GlobalSign, all >>> indicate operations in more than one country. As most countries >>> require that people who work in that country be employed by a legal >>> entity in that country, I fully expect that all these audit reports >>> cover multiple legal entities. >>> >>> I do not believe that what Telia is presenting is materially different >>> from what other CAs present. If Mozilla wants to have all the legal >>> entities involved listed in the audit report, that is something that >>> should be included the Mozilla policy; this would need to be carefully >>> considered, as it does not only impact multi-country CAs, but also CAs >>> that lease data center space, contract other companies to provide >>> physical security, or perform other actions covered under the audit. >>> >>> > Separation of CP and CPS provisions >>> > >>> > You explain that "There are no requirements to specifically separate >>> CP and CPS texts.", according to RFC content of these two documents should >>> be different. I’m ok with the combined document CP/CPS (but not content!) - >>> I can’t see which part of combined document should be considered CP. At >>> least section/page numbers could help. >>> >>> Mozilla does not require that a CP exist at all. It is fully >>> acceptable to only have a CPS - that is a single document that lays >>> out the practices of the CA. >>> >>> > Audit scope >>> > >>> > Sorry, I cant accept your arguments, see The audit report above. >>> > >>> > ******************** >>> > >>> > >>> > To sum-up, obviousely we are in a loop, I don’t see any reason to >>> change my opinion (see 2021-12-29 email). >>> > >>> > Thanks, >>> > M.D. >>> >>> From my perspective, the issues you raise are not issues under current >>> Mozilla policy. >>> >>> Thanks, >>> Peter >>> (my personal view and does not necessarily reflect the views of anyone >>> else) >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrzWdVhKyi7ZsFBhxnQ7zOEs-tAwKy1QSiQze7z3q6ZqiA%40mail.gmail.com.
