Re: Reassessment of sub-ordinated CA certificates

Tue, 12 Feb 2008 15:44:08 -0800 

Frank Hecker wrote:

Eddy Nigg (StartCom Ltd.) wrote:
It seems to me, even so I believed that EV will change that, nothing will change in that respect, specially the vetting of the issuing CAs. 


  

I suggest to ask the CAB Forum directly if all sub ordinated CAs must be 
explicitly audited or not. I believe it doesn't, see also below. I'm not 
saying that the answer from the CAB Forum must provoke a certain 
decision at our side, but it's in any case good to know as we review 
inclusion and upgrade requests. Additionally we might consider our 
requirements and practices for including EV roots.

"During the period in which it issues EV Certificates 

-> it = the CA



the CA and its Root CA MUST undergo and pass an annual audit 

-> again it's the CA and its root which passes the annual audit



Such audits MUST cover all CA obligations 



-> the obligations are that the CA maintains controls and procedures to 
provide reasonable assurance that...in contracts with subordinate CAs...



under these Guidelines regardless of whether they are 
performed directly by the CA or delegated to an RA or subcontractor."
  

Which means quite clearly that the sub ordinated CAs are NOT audited, 
only that the CA maintains controls and procedures to provide 
*reasonable* assurance!



AFAIK "CA" in this context means "issuing CA" in the sense you've been 
using it, namely the CA that actually issues the end entity EV certs. So 
whether or not this is actually being done in practice, I think the EV 
guidelines are pretty clear that it is not sufficient merely for the 
root CA to be audited; the audit requirements extend to each and every 
subordinate CA issuing EV certs.
  


I guess this time you are wrong :-)


--

Regards 


Signer:         Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber:         [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog:   Join the Revolution! <http://blog.startcom.org>
Phone:          +1.213.341.0390





Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to