It would be nice to know to whom I'm talking... [EMAIL PROTECTED] wrote: > 1. Audit standards (WebTrust and ETSI for example) check that the CA > complies with its CPS - and that includes subordinates and external > RAs > > >From Webtrust: "In the hierarchical model, the root CA maintains the > established "community of trust" by ensuring that each entity in the > hierarchy conforms to a minimum set of practices. Adherence to the > established policies may be tested through audits of the subordinate > CAs and, in a number of cases, the RAs." > You see, that's exactly not enough in my opinion. The "established policies" and "minimum set of practices" can be almost anything. And "may be tested" is like hot air. That's why we have situations where there are 4 or 5 chained sub CAs, residing in different countries even, each belonging to a different legal entity. Would each external intermediate CA have to undergo an audit, similar or the same as the parent CA, the situation would be much clearer. We have found even sub CAs which didn't wrote a CP/CPS for those...nor had the parent CP/CPS a clear definition of the burdens to be placed upon those sub CAs...or the intermediate CA software is made available via download, private key generation and cert done by the "subscriber" of the sub CA...not speaking about physical requirements...
As we are admitting more and more CAs by providing different paths for auditing etc (quoting Frank again somewhat freely), we also must make sure that we maintain a certain level of reasonable policies, practices and implementations. Not to speak about the higher level of confidence EV should provide. This is what this thread is about... > 2. The EV audit programme is at: > http://www.cabforum.org/WebTrustAuditGuidelines.pdf > > >From that doc: "The CA maintains controls and procedures to provide > reasonable assurance that: applicable requirements of the CA/Browser > Forum Guidelines for Extended Validation Certificates are included > (directly or by reference) in contracts with subordinate CAs, RAs, > Enterprise RAs, and subcontractors that involve or relate to the > issuance or maintenance of EV Certificates, and the CA monitors and > enforces compliance with the terms of the contracts." This is better, even so the burden is placed on the CA by requiring contracts and its compliance. Obviously the CA is audited that it maintains controls and procedures (over said section), which is something I've already hinted as a possible addition to the Mozilla CA policy: (Quote from previous mail) "As we are reviewing possible changes to the Mozilla policy, one of the possible suggestions I'll be making will most likely be, that CAs must have established (provable) direct control over their subordinated CAs. Another idea could be that external sub CAs would have to be audited in the same manner as the parent CA. In relation to EV, we could perhaps include only the issuing, intermediate EV CA certificate which was actually audited (since they have a path length of 0, this could guaranty that only the audited and approved CA is issuing EV certificates)." (End of quote) As such I understand that you'd support at least one of the proposals above (the former)? But then again, since the sub CAs aren't audited per se (and only the controls and procedures of compliance with the contract), what if a CA must maintain its cash-flow, as Kyle would ask? I know that we aren't living in a perfect world, but at least the question is valid and it's certainly legitimate to ask them... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
