Thorsten Becker: > > Can we say that it is neccessary (but not sufficient) to get included if > you have "independent" sub-CAs that they are linked logically and > legally to your root in a "sufficient" manner? Entities that are > physically external seem to be quite common (Enterprise CAs) >
"Quite Common" is perhaps an overstatement. There are scores of CAs with no external CAs whatsoever. However I don't agree with your statement above, physical inspection and gathering of information and evidence on the site is usually quite extensive during auditing. If those aren't audited, isn't that effectively circumventing the auditing requirement of the Mozilla CA policy? > > So it has to be explicitly stated in the audit report, or is it > sufficient that it is covered in the CP/CPS and the auditor raises no > objections? If the CP/CPS has provisions and makes it clear that auditing includes the FULL PKI, than I expect the regular audit statements to be sufficient. However many times the CP/CPS provisions contractual agreements only, in which case the auditor hasn't covered the external CAs, but only inspected the agreements. I think that there is a major difference between the two. Back to T-Systems, it makes a difference if the auditor inspected the physical situation at the intermediate CAs or if their audit only confirms T-Systems own CA infrastructure. Currently it might be possible that one of those CAs have their CA server in the kitchen cabinet under the sink somewhere...who knows? > I agree with that, previously I thought: The auditor also monitors the > operations of the root CA - not only the documents that describe how the > operations are carried out, i.e. CP and CPS. During such an audit the > presence of external sub-CAs would appall to the auditor, and he would > object if this is considered wrong/dangerous. I'd hope so...For this to be clear also to third parties like Mozilla, the CP/CPS must cover the issuance procedures and requirements for issuing CAs, including the physical and logical controls in place. Now supposed those are covered in the CP/CPS, the auditor wouldn't sign the audit statement before making sure that those are kept. > > GlobalSign offers a product that lets you operate your CA externally > under one of their roots, so I guess these Sub CAs exist but are not > linked directly to the root CA in question but are in fact subordinate > root CAs further down the certificate chain. There seems to be no limit > to the length of the certificate chain. Nonono...it's nice that GlobalSign offers those as a product, it doesn't mean that there are actually external CAs. In relation to intermediate and external issuing CAs, we mean ANY CA certificate which is chained to the root...As I understand, there are no other sub ordinate CAs at the GlobalSign PKI as mentioned in the pending page. >> Most likely Frank can recall the >> considerations for approving this request. > > That would be indeed interesting. > I'm certain that I've also looked at this CA during the comment period. Since Frank was aware in relation to the possibility of sub ordinate CAs, I believe that he clarified it with GlobalSign and also listed the affected sub ordinate CA certificates at the pending page. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
