On 10/03/2008 05:37 PM, Iang: > > I am not entirely convinced that it is as easy as that. The audit is a > far more nuanced thing than "auditor checks, it's ok." If you think > that, then, I've got a subprime to sell you. >
The WebTrust audit is pretty clear in this respect, not sure what you mean really... > > In general, I'd agree that even more weak contractual links will not > help; we should sort out the ones we already have before expanding or > adding to them. > See my reply to Paul Hoffman. > > This seems a little black and white. Auditors do not check everything, > and indeed they do not necessarily check that a particular thing is > good. What they more do is check that reasonable checks are in place; > this might be checking of the checking of the checks, rather than > checking the physical evidence. > And how exactly do intent to check the checks that are in place without gathering evidence about the effectiveness of those? > Which is to say, an auditor can check an internal auditing department. > And lean on that. Or can choose to audit by self. Or some other thing. > The important thing would be that the method take is clear and obvious > to all. > Self-auditing is part of the EV requirements for example, still a third-party audit is done every year. It's best practice and part of the controls a CA implements on its own operations. Auditing of the sub/cross signed CA by the root is certainly part of the parent CA obligations during day-to-day operation, it still would circumvent Mozilla's requirement for auditing if the auditor doesn't confirm the sub-ordinate CAs. IMO the controls which we need to be in place in order to be comparable to a third-party audit would have to be really, really convincing! Basically the CP/CPS would call for auditing those by the third-party auditor... > > Yes, there is a technical and infrastructure difference, but how much > does this matter, in a material sense, to a real attack, to a real user? > Maybe the attacker is just at a different point in the food chain? > It's called CA business continuity management amongst others. There is a substantial difference between a failure of an RA and a CA. > > As to whether the audit is needed ... well, there are *many* issues with > the overall process. Here's one: what does it offer to the users? How > much safer to people feel because there are lots of extra audit > processes these days? > I have no intention starting a discussion about the value of audits in general. The rest implies the former. > http://www.sslshopper.com/article-phishing-with-ev-ssl-certificates.html > That's out of the scope of what we are doing here. > > Ahhh, relying parties, who are they, he asks innocently :) > If you'd follow my postings for a while you'd here this very frequently from me.... :-) > > The current *implication* I would draw is that anything that is > expressed in the policy applies to all sub CAs. So that particular > question is covered. > This assumption is incorrect - in practice and in policies. But how do you confirm a particular infrastructure without auditing? Assumptions? Because it's in the CPS? Else? > We would have more of a question about something in a CPS of the primary > CA, that was reversed in a sub-CA. > The issue is about auditing - we know what's in the CPS... > > Yes, that's one direction. Internal audit. Another development (which I > have frequently commented on without any particular favour :) ) is that > Mozilla itself is auditing the audits. E.g., what's this 40 week > backlog, if not that process of auditing the audits. Which shows to me that you've never participated in a real audit... > > Have you read the auditor's opinion? It generally starts with something > like "*management* has put in place procedures and policies..." If you > don't trust the checks performed by the CA, then you're sunk, because > the auditor should check the system of checks, not do the checking by self. > Same as above... > These are all standard issues; but they are issues for everyone in the > food chain. Would an auditor be willing to lose a good paying customer > because of some "minor deficiencies" ? No, but the auditor will help correct those (and request some more payment perhaps ;-) ) > Does an auditor check every RA > operation, physically? No, and he doesn't have to, it's an RA, a function performed many times by CAs directly. The RA doesn't control the CA keys, issuance process and procedures...basically the RA doesn't control anything really...the RA performs part of the process. > Does an auditor verify the creation of certificates? Certainly. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
