On 2014-02-18 14:28, Ruy Ramos wrote:
The brazilian root CA for ICP-Brasil has complete accountability for the
operations of its subsidiary CAs. That is achieved by annual audit
procedures take into effect by ITI, the federal agency that plays the
role of Root CA of ICP-Brasil.
Please note that CAB baseline requirements says this:
17. Audit
Certificates that are capable of being used to issue new certificates
MUST either be Technically Constrained in line with section 9.7 and
audited in line with section 17.9 only, or Unconstrained and fully
audited in line with all remaining requirements from section 17. A
Certificate is deemed as capable of being used to issue new certificates
if it contains an X.509v3 basicConstraints extension, with the cA
boolean set to true and is therefore by definition a Root CA Certificate
or a Subordinate CA Certificate.
And:
17.9 Regular Quality Assessment of Technically Constrained Subordinate CAs
During the period in which a Technically Constrained Subordinate CA
issues Certificates, the CA which signed the Subordinate CA SHALL
monitor adherence to the CA’s Certificate Policy and the Subordinate
CA’s Certification Practice Statement. On at least a quarterly
basis, against a randomly selected sample of the greater of one
certificate or at least three percent of the Certificates issued by the
Subordinate CA, during the period commencing immediately after the
previous audit sample was taken, the CA shall ensure all applicable
Baseline Requirements are met.
So it's either:
- They're Technically Constrained, you need to audit them every 3 months
- They're not Technically Constrained and need a audit every year, and
we could include them directly as root CAs.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
