Hi Kai,
long reply, I appreciate the grounding in actual policies and practices!
This allows us to explore what we really can and cannot do.
(I've cut two of your comments out to other posts where they might be
generally intersting for the wider audience.)
On 28/12/08 12:13, Kai Engert wrote:
After having read the posts related to the "unbelievable" event, I
understand the event involved an approved CA and an external entity they
work with.
Seems about right.
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it.
[see other post]
The verification task is the most important task. All people and
processes involved should be part of the assuring audit.
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
OK! And, we can reasonably suggest that pt 7 covers verification, as
per the above.
In my opinion, it means, a CA must do this job themselves.
No, to me, it means the CA must provide attestation of conformance by an
independent party. That means they must show how they meet the things
that Mozilla lists in pt 7.
Which language suggests they have to do verification *themselves* ?
BTW, it would be quite problematic to insist that the CAs do this job
themselves.
CAs are not generally experts on the issues raised. Traditionally, CAs
outsource the processess within verification to a range of different
organisations: government registries, commercial credit agencies,
credit card companies, passport offices, birth registries, etc. That
is, to insist they "do it themselves" would mean that they would have to
develop skills that might be better handled elsewhere, and might in the
end reduce to moving the deckchairs around.
The policy currently does not appear to handle the scenario where a CA
delegates the verification job to an external entity. So it's unclear
whether it's "forbidden" or "allowed if the external entity has received
equivalent attestation of their conformance".
I conclude it is allowed. However, whichever way it is done, the policy
still insists that conformance to pt 7 is required.
So, following that policy, a reasonable investigation to pursue in the
current case is what that form of the attestation was, and how precise
it was, etc.
In my personal opinion, a CA violates the Mozilla CA Certificate Policy
if they delegate the verification job to an external entity not owning
"attestation of their conformance to the stated verification requirements".
I'm not sure I parse that, but I think you mean:
If the CA delegates,
and does not "own" the "conformance" requirement,
then they have violated the policy.
If so, ok. I see the following simplification:
If the CA does not "own" the
"conformance to verification" requirement,
then they have violated the policy.
If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.
[see other post]
In any case, the CA policy should get clarified about involving external
entities in the verification and issueing process.
There are normal business and PKI assumptions in operation here:
The CA will involve external entities for as many things as possible.
The CA will document the external entities.
The CA will take responsibility for the result.
(The CA will express its liability and warranty in its RPA.)
It may be that you want to surface and state these assumptions.
However, to turn it into a criteria or policy point, you would need to
much more clearly refine your point, *and* you should clearly relate it
to how this will improve security. I suggest this is much tougher than
it sounds.
E.g., Which external entities are OK? Why? How are they checked?
Is it ok to accept an audit? Which audit?
Where is the line drawn? Is a passport an outsourcing? If not, is a
credit card? Is a website?
Why consider external entities when we don't describe documents? If we
care to regulate external entities, shouldn't we also regulate use of
credit cards, which are known to be poor identity documents?
Is one check enough? Two? Correlated? Serial or parallel?
And add a thousand other questions. It gets complex!
It is for this reason of complexity that we normally apply a
"reasonableness" test. It is reasonable to use external entities, and
as long as it is stated in the CPS, then it is up to each party to
decide whether they accept that for their individual circumstances.
(Those parties include: the CA, auditor(s), vendors, downstream
vendors, relying parties, and ultimately end-users.)
All existing CAs
should be required to make a statement about their current business
practices with regards to external entities.
Right, but I would say that a statement in the CPS covering the external
parties is assumed. From my personal view, this would fall in the
general bucket of a material statement that should be disclosed, just
from normal business, auditing, and quality approaches.
Does anyone see any different?
The problem you may be facing is that you have not read the CPS, each
CPS, and you are only now being surprised at the subtleties and
complexity that may be lurking there. See my other comment about the
(audit) reliance issues facing you and every other end-user.
Complexity here provides a serious limit on the value of the process.
We do not improve matters by making things more complex.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
