After having read the posts related to the "unbelievable" event, I understand the event involved an approved CA and an external entity they work with.

From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.

The verification task is the most important task. All people and
processes involved should be part of the assuring audit.

The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."

In my opinion, it means, a CA must do this job themselves.

The policy currently does not appear to handle the scenario where a CA
delegates the verification job to an external entity. So it's unclear
whether it's "forbidden" or "allowed if the external entity has received
equivalent attestation of their conformance".

In my personal opinion, a CA violates the Mozilla CA Certificate Policy
if they delegate the verification job to an external entity not owning
"attestation of their conformance to the stated verification requirements".

If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.

In any case, the CA policy should get clarified about involving external
entities in the verification and issueing process. All existing CAs
should be required to make a statement about their current business
practices with regards to external entities. After a grace period all CAs must either stop using external entities, or get "conformance attestation" for all involved entities.

Kai

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to