On Mon, Jan 10, 2022 at 7:08 AM 'Moudrick M. Dadashov' via [email protected] <[email protected]> wrote: > > Hi Pekka, > > Before your claim can be finalized, we need clarification of the terms in > your statement: > > > "Specifically that Telia hasn't used any third party RAs except in the > mentioned client certificate cases". > > You explained earlier that Telia is a trademark that Telia Finland Oyj is > authorized to use in Finland. > > In the Telia's Management Assertion Telia Company AB uses the term Telia as a > self short name. The same short name is used in the audit reports. > > So, based on the official documents, we don't know which legal entity > represent the CA - Telia Company AB (Sweden) or Telia Finland Oyj (Finland). > Once we identify the CA, it should be easier for you to disclose/identify > other PKI participants, if any. > > "And that all other RA functions were operated internally by the Telia group > so that all internal RA functions were covered under the WebTrust audit." > > Here you use the terms "internally" and "group" that have no meaning in the > context of the CA operations - if you think they are defined in existing > standards and Mozilla policy, just refer us to the appropriate sources. > > Once again, as from the CA operations' (CP/CPS) point of view Telia Company > AB and Telia Finland Oyj are two different legal entities, you need to > disclose their PKI participant roles as required by all applicable standards, > policies I quoted earlier.
Moudrick, I'm afraid I'm somewhat confused. Mozilla Policy calls out two places where the legal entity has to be disclosed: "ownership or control of the CA’s certificate(s)" and "ownership or control of the CA’s operations". I'm going to assume that the first really should be CA's private keys, but that is something for a policy discussion. The CPS says "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." >From this thread, it seems clear to me that Telia Finland Oyj has ownership of the CA certificate and keys. This has been stated multiple times in the thread. It also seems clear to me that Telia Company AB has overall control of the CA operations, as they are the responsible party as documented in the WebTrust management assertion and addressed in the auditor's opinion. I am unaware of any requirement in the Mozilla policy (directly or via inclusion by reference) that requires a CA to disclose the employer of all people they contract to assist in operations of the CA. This applies regardless of whether the employer(s) are Affiliates of the legal entity operating the CA, Affiliates of the legal entity owning the private keys, or independent third parties. The thing that matters is that the entity operating the CA takes responsibility for and has control over the actions undertaken by the people operating the CA. As an example, as I understand it, if Afla, Inc. owns a private key, they can contract Bravo Ltd. to operate the CA (including RA functions). Bravo Ltd would then be listed as the responsible party in the WebTrust audit report. Bravo can contract Charlie Pty Ltd, Delta GmbH, and Echo BV to assist in the operations of the CA. This could include providing physical security for the private keys, providing ICT administration, applicant review services, or other work. As long as Bravo is has oversight and control of the operations, it is not necessary to list Charlie, Delta, or Echo in the CPS nor in the WebTrust audit report. I do realize that other regulations and requirements may require disclosure of some or all of Charlie, Delta, or Echo. For example, some CAs disclose information sub-processors for the purpose of complying with GDPR; see https://www.globalsign.com/en/repository/GlobalSign-Subprocessors.pdf as an example. This is independent of the Mozilla requirements, to the best of my knowledge. Thanks, Peter (my personal view and does not necessarily reflect the views of anyone else) -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAK6vND9N7a9kGrZFeEG%2BfMHdHE2Vf2GsrKNQ%2BviDzKpxBsc3zg%40mail.gmail.com.
