Kai Engert wrote:
> From my perspective, it's a CA's job to ensure competent verification
> of certificate requests. The auditing required for CAs is supposed to
> prove it.
<snip>
> In my opinion, it means, a CA must do this job themselves.
My quick personal perspective on this (and I'll apologize in advance to
those of you for whom this is old news):
It is long-standing practice in the CA industry to outsource certain
verification-related tasks to third-party Registration Authorities. See
for example the definition of an RA in an old IETF PKIX document:
http://tools.ietf.org/html/draft-ietf-pkix-roadmap-09
"Registration Authority (RA) - An optional entity given responsibility
for performing some of the administrative tasks necessary in the
registration of subjects, such as: confirming the subject's identity;
**validating that the subject is entitled to have the values requested
in a PKC [public key certificate]**; and verifying that the subject has
possession of the private key associated with the public key requested
for a PKC." [emphasis added]
So IMO there is nothing inherently unusual or illegitimate in the fact
that Comodo or other CAs have resellers acting as RAs and doing
validation of domain control/ownership. However such RAs are acting as
agents of the CA, and the CA has ultimate responsibility for ensuring
that the RAs act to uphold the claims made in the CA's published CPS.
As for attestation, in a typical WebTrust for CAs audit the management
of the CA asserts that the CA is operating in accordance with the CPS,
including whatever claims are made in the CPS vis-a-vis subscriber
verification. For example, for Comodo these assertions are in the
following document:
http://www.comodo.com/repository/non_ev_management_assertions.pdf
including the assertion that (during the period of the audit) Comodo
"maintained effective controls to provide reasonable assurance that ...
subscriber information was properly authenticated", albeit with a
disclaimer that "There are inherent limitations in any controls,
including the possibility of human error and the circumvention or
overriding of controls. Accordingly, even effective controls can provide
only reasonable assurance ...."
(Incidentally, this is fairly standard language for a WebTrust for CAs
audit. All the WebTrust management assertions that I've read look like
this.)
The WebTrust for CAs auditors then examine and test these assertions in
various ways, and make their own attestation. For example in the case of
Comodo they stated in the relevant WebTrust for CAs report
https://cert.webtrust.org/ViewSeal?id=798
that "In our opinion for the period 1st April 2008 through to 31st July
2008, the Company’s Directors’ assertion, as set forth in the first
paragraph, is fairly stated in all material respects, based on the
AICPA/CICA WebTrust for Certification Authorities Criteria", although
there's also a disclaimer: "Because of inherent limitations in controls,
errors or fraud may occur and not be detected" (and also things may
change in future).
(Again, this is all pretty standard for a WebTrust for CAs audit report.)
So, in theory at least a WebTrust for CAs audit is supposed to confirm
management's assertions that verification of subscriber information is
being done properly, including any verifications done by third-party RAs
acting on behalf of the CA. In practice such confirmation is not
necessarily based on doing detailed investigation of each and every RA;
it might instead be based on examination of the overall controls put in
place to regulate RAs, combined with any internal audits that CA
managers might have done for RAs. In this respect I suspect that what
Comodo has been and is doing is similar to what other CAs with RAs do.
> The policy currently does not appear to handle the scenario where a CA
> delegates the verification job to an external entity. So it's unclear
> whether it's "forbidden" or "allowed if the external entity has
> received equivalent attestation of their conformance".
When we created the policy I was well aware of the existence of RAs and
of the possibility that CAs might outsource functions like domain
validtion to RAs. Whether or not this is clear from the policy (and I
guess it's not, since you and others are asking about this), my
intention was certainly that the activities of RAs were considered to be
encompassed within the overall activities of CAs, and that the policy's
requirement for CAs to validate domains left open the possibility that
this might be done by RAs acting as agents of CAs.
So, to repeat, I don't think the key issue here is whether CAs should or
should not be allowed to delegate domain validation to RAs. The question
(e.g., as in the case of Comodo and Certstar) is rather whether
particular RAs are doing this properly, and if it's not done properly,
whether the failures on the part of RAs represent isolated incidents or
whether they indicate a systemic failure of the CA to properly oversee
its RAs.
Frank
P.S. I'm out of town on vacation this week visiting family. I plan to
continue working on this issue and responding to messages in this
newsgroup, but you shouldn't expect an immediate response if you post
something or email me. I'm going to try to post a summary of where
things are either tonight or tomorrow morning.
--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
