David E. Ross wrote, On 2008-12-28 21:40 PST: > Now that it is known that a subordinate reseller operating under one CA > issued certificates without authenticating the identity of the > subscribers, we know that the theoretical concern expressed (before all > this) about resellers is no longer theoretical. NOW is the time to > require that all CAs supervise the operations of their RAs and resellers. > This must be done in a way that independent audits of the CAs examine the > implementation of such supervision, which can be accomplished by > requiring (at least with respect to the Mozilla database) that CPs > explicitly address how that supervision is performed. > > Either a CA's CP must explicitly state that there are NO external RAs or > resellers, or else the CP must describe how external subordinates are > monitored. Without this, a CA's request to have its root certificate > included in the Mozilla database should be denied.
+1 Perhaps the policy should even go so far, as Kai has suggested, as to require that whatever entity performs the verification of subject identity for the CA must be audited. Section 6 of the policy requires that "all CAs whose certificates are distributed with our software products" must "prior to issuing certificates, verify certificate signing requests in a manner that we deem acceptable", and "provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations." I think that last part clearly assumed that the "verification requirements" were part of "the CA's internal operations", an assumption that we now know is untrue. So, I would suggest changing it from "access to details of the CA's internal operations" to "access to the details of the operations that verify the certificate signing requests, whether internal or external" > Since an audit will generally report on the implementation of such a > policy but not necessarily on the policy's adequacy, the internal and > public reviews of CA requests must examine the adequacy of the CA's > policy for monitoring external subordinates. Yes. Agreed. I think the policy should define some parameters (bounds) for determining the adequacy of CSR verification. It is acceptable to have hundreds of parties each responsible for verifying CSRs for a single CA (single issuer)? If not, what limit should apply? I'd like to see any statements made by Mozilla at the beginning of the week of public review to explicitly speak to the CSR verification process, and whether it is internal or external, and how many RAs (or parties entrusted with verifying CSRs) exist for the particular CA (organization), and the number of CSR verification parties per subordinate CA. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
