First, my sincere apologies for being missing from this group over the
past few weeks. A combination of illness (both my own and family),
out-of-town trips, and other Mozilla Foundation business kept me from
having any significant time to devote to CA matters. I am working on
ways to ensure that I am not the bottleneck in this process in the long
term; in the short term I'm going to try to restart CA public
discussions on a regular schedule.
Per the CA schedule, the next CA on the list for public comment is
WISeKey, which has applied to add its (one) root CA certificate to the
Mozilla root store, as documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=371362
and in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#WISeKey
WISeKey has been through an initial comment period a while back, during
which we got nvolved in a lengthy discussion about WISeKey's Blackbox
product (a "CA in a box" product intended for enterprise deployment) and
whether and how auditing was done for WISeKey's subordinate CAs
associated with that product. WISeKey supplied more information about
their arrangements, which you can find in the bug.
We've had some lengthy discussions about the issue of auditing
subordinate CAs. I'm not going to rehash all those discussions, I'll
just summarize my current thinking:
First, the general issue of auditing subordinate CAs was something we
didn't think through much when we did our Mozilla CA policy: We were
thinking of a fairly simple model where a CA organization operated both
its root CA(s) and also any subordinate CAs under those roots, with a
CPS and associated audit that covered the both root and subordinates
all. In actual practice things are more complicated, and our policy
didn't really capture that complication.
My personal opinion is that it doesn't make sense to try to address this
complication by mandating traditional WebTrust-style audits of any and
all subordinates under a root. I think this approach is impractical, and
I don't think it's necessary. I'd rather look at the overall manner in
which CAs exercise controls over subordinates, legally, technically, and
otherwise, as well as the general nature of the subordinates and how
they function in practice. I think in some cases it might make sense to
require audits for all subordinates, and in some cases it might not.
For purposes of this particular evaluation, my goal is for us to gain a
shared understanding of what WISeKey actually does, including getting
answers to any remaining questions, and then I'll make a judgement call
as to whether what WISeKey is doing meets the general intent of our policy.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
