Frank,
Good work on the policy! It's certainly a lot of work, and
this is shown by how much in the past has been left
undone by so many.
In other words, this is a not a wholesale but rather a strategic
retreat from my former position: I am accepting the claim that the
WebTrust criteria (or something like them) are the ones that should be
used, but I am seeking to preserve the freedom to have CAs show
conformance in ways that don't necessarily require them to pay KPMG,
E&Y, etc., large amounts of money to get an official WebTrust seal.
It's certainly a clarification of some importance. What this does
is to place the criteria as the central point, as opposed to the CPA,
etc. That's a welcome clarification, and below I'd recommend more
along those lines.
By accepting the claim that some audit process of the criteria
(derived from WebTrust) is required, you are in the converse
ruling unaudited CAs as not being acceptable. Opening the
door to low-cost and efficient audits may be an acceptable
alternate. But, this will only be the case if such audits happen,
hence my concerns below.
That is also in part why I used the phrase "third-party attestation"
-- stolen from the Microsoft CA requirements -- as opposed to "audit",
to avoid the implication that conformance has to be judged by a CPA or
equivalent professional. It's just that if the "attestation" is done
by people who are not WebTrust auditors then I think people will
require -- and I think rightly -- more information in order for them
to have confidence in the CA and the third-party review. (For example,
we see this in the discussion about T-Systems.)
I see what you are saying. I think the word we are looking
at here is audit, which is the process. Auditing is not something
that is only done by CPAs or equivalent professionals, in fact,
audits are done all the time in organisations by ordinary people.
(CPAs and so forth do try and make it sound as if they are the
only ones who can do audits. That's just normal 'franchising'
behaviour on their part.)
But this is a minor point.
I should also note that the "third party" could in fact be myself or
other volunteers participating in the Mozilla project, so I'm
preserving that option as well; the only requirement is that the third
party be independent from the CA itself.
Luckily David Ross has posted his intention to do just that,
so we have a concrete case to examine.
This worries me. The third parties are now being asked to
attest to something that is expected to be of the same
standard as WebTrust.
This can be examined from the pov of when something goes
wrong and there is money involved. (It is not so useful to
examine the alternates...) Suppose something goes wrong
and some dispute enters court. (I'm not suggesting this is
likely, it just makes it easier to bring out the results.)
In court, the plaintiff argues that the standard was WebTrust,
and a WebTrust approved auditor was not employed. WebTrust
and a bevy of expert witnesses then pontificate that only
CPAs on "the list" can do WebTrust, by definition, and by
qualifications. Which is a hard one to knock down in court
(judges respect guilds and qualifications) which leaves MF
and/or the auditor on the hook.
So I would suggest that 4. be rewritten to revise the standard
as "audited according to a criteria as acceptable to MF" and to
make a remark in passing that the criteria originally derives
from the WebTrust criteria, and the successful completion
of a "WebTrust for Certification Authorities" would generally
be deemed to meet the criteria.
By way of example:
==================================
"4. The Mozilla Foundation will consider adding certificates
for additional CAs to the default Mozilla certificate set upon
request. The Mozilla Foundation requires that all such CAs:
a. provide some service relevant to typical Mozilla users; and
b. be appropriately audited against a published criteria
satisfactory to MF.
The starting point for the criteria is _WebTrust for CA_ criteria,
and may be modified from time to time in the FAQ. The audit
statements must be published.
5. The auditor must be approved by MF. MF may indicate
its preliminary approval, but the final decision is made
concurrent with acceptance of the CA. Professional auditors
listed by WebTrust for this purpose are presumed acceptable
to MF.
==================================
The intention is to state that MF makes the decisions
as to what the criteria is, and who the auditor can be.
If WebTrust were given more say than "that's where
we started from" then one could imagine some sort of
competitive response when WebTrust's members notice
that they are losing business. That competitive response
should be limited to "we are better" and not be "you don't
follow our accepted standards!"
Perhaps another way of looking at it is to consider that it
shouldn't be ruled out of court that a bug be filed against
WebTrust en toto in the future. Regardless of the merits
of that bug, the policy should be capable of standing on
its own two feet in the event that WebTrust itself is dropped.
(See previous post, obviously OMB thought little enough of
WebTrust to ignore it.)
iang
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
