Frank Hecker:
> Eddy Nigg (StartCom Ltd.) wrote:
>
>> I think the question raised with that CA was also, if the audit covers
>> the whole CA infrastructure, i.e. all different independent CAs
>> operating under the KISA root. If I remember right, the CPS has no
>> provision in that respect and the audit covers only KISA's operations
>> itself.
>>
>
> I looked into this a while back. Auditing of the subordinate CAs
> ("licensed CAs" or LCAs) was/is mandated by the relevant Korean law and
> regulations that set up KISA in the first place and established MIC
> authority over it. KISA itself does the auditing of the LCAs, as
> mandated by the law and regulations.
>
OK, so in that case KISA itself is becoming an auditor. Would KISA then
issue audit reports about the various CAs in question? What would be the
pros and cons of having each licensed CA approved instead of KISA as a
"wild card" CA for a whole country?
>> If we would apply Microsoft's new criteria (not that this matters for us
>> really) of having the audit covering the full CA infrastructure, this
>> one wouldn't go through.
>>
>
> Actually, Microsoft has special provisions for audits of government CAs
> (as I mentioned in a separate message). The audit requirements on
> commercial CAs (item 7, "General Requirements") don't apply to
> government CAs.
>
Which might be understandable that Microsoft takes such an approach and
has good reasons to skip this requirement because of business interests
with governments. Otherwise it wouldn't make much sense since each
government handles its own affairs very differently. I had the chance to
read a few such laws of different countries and the differences are
striking, ranging from a "registration requirement only" of operating
CAs to actual close control of the CAs.
Additionally the definition of what a "Government CA" actually is, will
have to be clearly defined. Governments can present a very good anchor
for taking responsibility of CAs operating under their control, but I'm
afraid there is no unifying criteria for such laws. I tend to prefer a
case to case decision instead of the approach Microsoft has taken and
make auditing of the entire CA infrastructure a requirement in the
Mozilla CA policy in any case.
KISA is a CA authorized and commissioned by the their government,
however the operating CAs are not government CAs, but regular CAs with
commercial interests etc. So this makes it a bit tricky I think...As I
proposed earlier already concerning independent CAs operating under a
unified CA root, but which are independent companies and the sole
purpose of the CA root is to act as an anchor, each CA should be audited
explicitly on its own or each CA should be at least explicitly
confirmed. Thoughts?
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
