CAs contracting out the work to do the root inclusion process

2013-10-17 Thread Kathleen Wilson
All, I think we should have a discussion about the level of involvement required of a CA to go through the root inclusion process. How much of the process can a CA pay someone else to do? What should the CA do on their own to demonstrate their own commitment to running a trust anchor? I am

Re: Updating CA:SubordinateCA_checklist

2013-10-17 Thread Rob Stradling
"Non-Technically Constrained Subordinate CAs" Kathleen, I wonder if some people might interpret that as "Subordinate CAs that _are_ Constrained by Non-Technical means". This would obviously exclude Subordinate CAs that are completely unconstrained (both technically and non-technically). So,

RE: Updating CA:SubordinateCA_checklist

2013-10-17 Thread Jeremy Rowley
On this page, a sub CA could refer to the organization holding an intermediate certificate or an intermediate certificate. If the latter, then I think you need to retain "third-party" to distinguish between intermediates covered by the CAs own audit and those covered under a separate audit. Jer

Updating CA:SubordinateCA_checklist

2013-10-17 Thread Kathleen Wilson
All, I need to update https://wiki.mozilla.org/CA:SubordinateCA_checklist to reflect the current policy (technically constrain or disclose/audit). I propose the following changes. 1) Remove the Terminology section. Given the current policy, the terms "In-House", "Third-Party", "Private", "Publ

Re: Root Certificates of USA CAs still trustworthy?

2013-10-17 Thread Phillip Hallam-Baker
On Thu, Oct 17, 2013 at 6:04 AM, Gervase Markham wrote: > On 17/10/13 00:07, Phillip Hallam-Baker wrote: > > Each HSM vendor has their own security controls but a FIPS140 level 4 > > device won't release them except to another FIPS-140 device. There is no > > way to extract the key from the syste

Re: Root Certificates of USA CAs still trustworthy?

2013-10-17 Thread Moudrick M. Dadashov
On 10/17/2013 1:04 PM, Gervase Markham wrote: On 17/10/13 00:07, Phillip Hallam-Baker wrote: Each HSM vendor has their own security controls but a FIPS140 level 4 device won't release them except to another FIPS-140 device. There is no way to extract the key from the system unencrypted. Phil: w

Re: Root Certificates of USA CAs still trustworthy?

2013-10-17 Thread Gervase Markham
On 17/10/13 00:07, Phillip Hallam-Baker wrote: > Each HSM vendor has their own security controls but a FIPS140 level 4 > device won't release them except to another FIPS-140 device. There is no > way to extract the key from the system unencrypted. Phil: what prevents a government just turning up w