On 10/03/2008 04:29 AM, Frank Hecker: > I turned your reply somewhat upside-down, because I want to comment first in general terms...
> > Well, it does matter how difficult it is to implement a policy, and I > think we have to exercise some judgment here. At one end of the spectrum > we have situations where we have a small number of subordinate CAs, each > of which issues lots and lots of certificates. T-Systems is apparently > like this, as are KISA and perhaps others. Here I think it is realistic > for us to take a closer look at the subordinates. > I agree that we need to think about it and provide clear guidance about what is acceptable one what not! Lets go... The physical evidence gathering at the CA is a *substantial* part of an audit, it's one of the cornerstones of auditing. Without it, auditing would be very difficult and mostly meaningless. The physical walk-through and on-spot evidence gathering is a a *substantial* effort in relation of time and money to the CA. It's also the basis which allows Mozilla to trust those audits and have some confidence about the CA, being it the controls in place and general functioning. Now, you are suggesting that we can rely on meaningless contractual requirements set up by the CA with no guaranties whatsoever that the external entities which aren't even part of the same company and don't share the physical infrastructure, have really done so. How does an auditor confirm requirements set up by the CA without actually visiting those intermediate CAs? Either the auditor gathers evidence about the controls in place which govern those CAs; in which case the auditor has no problem confirming them. Otherwise the auditor hasn't done so, can't confirm conformance of the controls set up by the CA. It's a chicken and egg problem, either the CA has sufficient controls in place and set up requirements which resemble those of the root - in which case the auditor must confirm them, or the CA doesn't have those controls in place and the auditor has nothing to confirm either. In either case the result is the same - the sub-ordinate CAs were part of the audit or not, the auditor can confirm it or not. > > To echo what I wrote earlier, it's analogous to the case of CAs that > out-source the RA function to others, especially in the enterprise > environment. I doubt that, e.g., a WebTrust audit entails auditing each > and every organization participating in RA activities; I presume what is > done is instead to look at the overall controls in place for such > arrangements. Yes, but the RA doesn't control the CA infrastructure nor does the RA actually issue the certificates. Neither has the RA the power to move, remove, modify anything about the CA - it validates the subjects according to some criteria and the CA is obligated to assert control and assure the quality of the RA by various means. This is NOT the same as a sub-CA or cross-signed CA. See "Business Continuity Management" and "Physical and Environmental Security"... Hey! An RA can make a mistake here and there (the most), the RA can't take the whole CA infrastructure down or compromise the CA keys. This is a substantial difference! > It is not clear to me that it's realistic for us to require actual > audits for each and every third-party subordinate CA. No? But it's a requirement of (root) CAs, how can it be NOT a requirement of any participating CA? Mozilla defines the rules - that's the most realistic it can get. If the audit requirement can be circumvented by simply getting into a contractual agreement with another CA, than I request to skip the audit requirement altogether, why bother? (This should serve as an example, I don't really mean it) > Even beyond the > WISeKey model (the "CA in a box" appliance device), I suspect that a > number of other CAs serving the enterprise market have enough > subordinates that it would be unrealistic to require actual audits of > all subordinates in these cases as well. Who said that everything which was done to date was correct and useful (to the relying parties)? Just because it exists it doesn't mean it's the right thing to do really. "CA-in-a-box" is a risk Mozilla shouldn't accept without some guaranties (which auditing provides). Lets suppose CAs stop verifying domain control of server certificates because some hardware vendors decided that the enterprise market needs it, will you also call it unrealistic to make it a requirement? Most likely not! Your effort to admit more CAs shouldn't come on the expense of basic requirements; and those are confirmed by an audit. No audit, no confirmation, no confidence and a higher risk. > (Which is not to say that > there's no auditing at all -- for example, the (root) CA could have some > sort of random or spot auditing scheme.) > You know what's that worth...are you promoting CAs to be auditors now? Having the cats take care of the milk... Random checking goes as far as it's convenient. There is no problem performing such a check around the next corner, but going all the way to the Falkland Islands is neither convenient nor financially attractive, hence it will not happen either. It's simply useless, besides that I question the effectiveness of such a check performed by the CA itself. Would you be willing to loose a good paying customer because of some "minor deficiencies"? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
