I'd now like to revisit the issue of approving CAs that are not WebTrust-audited, and I'd like to start with the issue of "WebTrust-equivalent" audits, for three reasons. First, this is a concept that Microsoft uses in their own approval process:
http://www.microsoft.com/technet/security/news/rootcert.mspx#EFAA
and is worth looking at if only for consistency with what is done for IE, especially since a number of other projects/products seem to follow Microsoft's lead in this regard. Second, we have at least one candidate CA, QuoVadis, which falls in this category, and I'd like to make a decision in the short term about including them or not. (Goodness knows they've been waiting long enough for such a decision.) Finally, I can use this as a concrete way to restart discussion on the feasability creating a Mozilla-specific set of CA criteria.
So what does "WebTrust-equivalent" really mean, if anything, and what evidence might be needed to determine that a CA has passed a "WebTrust-equivalent" audit? Let's take QuoVadis as an example. QuoVadis is not currently officially WebTrust-audited. (As I understand it, QuoVadis in in process for WebTrust, but final approval is waiting on things like financial audits that are somewhat orthagonal to the actual CA audits.)
Instead QuoVadis's current state is as follows:
* QuoVadis claims conformance to a set of Bermudan government regulations relating to CAs:
http://www.quovadis.bm/support/library/Bda_CSP.pdf
and has been certified by the Bermudan government as meeting those requirements
http://www.quovadis.bm/support/library/csp.gif
based on an audit conducted by Ernst & Young on behalf of the Bermudan government. (The audit report is not a public document, so I can't provide a link.)
* Ernst & Young also did a separate audit to meet the Microsoft requirement that the CA "provide an equivalent third-party attestation" if it were not officially WebTrust-approved, and provided a letter to QuoVadis and Microsoft containing such an attestation. The letter is not a public document, so I can't provide a link (although I have seen a copy of the letter).
So, based on the QuoVadis experience I would tentatively define "WebTrust-equivalency" as follows:
* The CA claims conformance to a set of criteria equivalent to those used in WebTrust:
http://www.aicpa.org/webtrust/caexec~1.htm
I say "equivalent" rather than "identical" because the CA's criteria could go beyond WebTrust criteria in some areas, and also because the WebTrust criteria themselves do not necessarily dictate that a CA must do things in one and only one way, with no leeway for deviating from that.
* The CA's conformance to these criteria has been attested to by an independent third-party (as opposed to the CA doing its own audit).
* Optionally: The independent third-party in question is authorized to perform WebTrust audits, and hence is qualified to render a judgement on whether the CA is conforming to criteria equivalent to the WebTrust criteria.
(Note that IMO this third item is optional since the WebTrust criteria are public and therefore in theory anyone could make a determination that the criteria being used are equivalent to WebTrust criteria.)
My proposal therefore is that I extend the interim policy to also approve requests from CA's meeting "WebTrust-equivalent" requirements as defined above.
Based on the information QuoVadis has supplied to me, I believe that they meet those requirements, and under such an extended interim policy I would be inclined to approve QuoVadis to have their CA certificate(s) included in Mozilla. (My only reservation is that the E&Y letter mentioned is not a public document.)
Comments?
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
