Thanks, RyanThe audit reportYou asked if my comment was about Delegated Third Parties - sorry, no, I had in mind the CA [1] and its RAs [] as defined in BRs.As I quoted earlier, according to audit report the CA is a legal entity in Sweden - Telia Company AB, other participants are also separate legal entities Telia Finland Oyj and Cygate AB.Unfortinately this discussion about legal entities vs service providers has gone too far - in the EU service providers can chose different foreign establishment forms ranging from directly managed branches, offices etc. to country specific forms of legal entities. This is important from business operation, data protection etc. point of view - for more info please see Services directive 2006/123/EC.Audit scope"If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent."My comment was about Pekka's argument, which is quite typical to Telia Company AB and its affiliates, that their corporate ownership relationship is directly apllicable to the CA operations, I believe this is fundamentally wrong.**************You also asked if Pekka could share the audits for these two DTPs? I believe that may address part of the concern Moudrick is raising.The CA has a single audit report and I’m OK with that, but, as I quoted earlier, the audit report says:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."Thanks,M.D.Sent from my Galaxy[][] -------- Original message --------From: Ryan Sleevi <[email protected]> Date: 1/5/22 10:57 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]> Cc: Ryan Sleevi <[email protected]>, [email protected], "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 In-line belowOn Wed, Jan 5, 2022 at 2:00 AM Moudrick M. Dadashov <[email protected]> wrote:The audit reportYou explained that "Audit covered all relevant company parts under "Telia Company AB" including "Telia Finland Oyj". I still can't understand why this fact is hard to understand.", the problem here is that we need a single legal entity as the CA cooperates with other PKI participants - these roles must be disclosed clearly (no matter who owns what).If Telia Finland Oyj is the CA, then all others, including Telia Company AB, should be PKI participants. You need to disclose this. In the meantime the audit report states:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."So, we have two different audit scenarious here:a) as the audit report is issued to the CA known as Telia Company AB, then the other PKI participants - Telia Finland Oyj and Cygate AB need to be audited according to their roles.b) in case if Telia Finland Oyj is audited as the CA, then the other two PKI participants - Telia Company AB and Cygate AB need to be audited according to their roles.Again, this has nothing to do with ownership relationship.If I understand correctly, you are trying to highlight the requirements of Section 8.4 of the Baseline Requirements, namely:For Delegated Third Parties which are not Enterprise RAs, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted auditschemes found in Section 8.4, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.Is that correct?Audit scopeSorry, I cant accept your arguments, see The audit report above.If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent.There’s been quite a bit of past discussion of this in the CA/Browser Forum, particularly during the WebTrust and ETSI updates. This has included discussions about of the expectations for who needs audits when performing particular functions (e.g. the local lawyer in South America who gets copies of documents from the courthouse, verifies them, and uploads them from their home machine was one such point of discussion). More recently, they’ve included discussions about the need for greater transparency, given ETSI ESI representatives have shared they’re pursuing paths that reduce transparency and accountability.I think your point about transparency, and the need for it, when involving DTPs is apt. However, that doesn’t require tackling that by scope of the CA’s audits, which WebTrust representatives has highlighted is problematic (generally in the exact same reasons ETSI sees it advantageous), it allows simply for the DTP to be audited.Pekka,Can you share the audits for these two DTPs? I believe that may address part of the concern Moudrick is raising.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61d6899e.1c69fb81.3002d.0743%40mx.google.com.
