Hi Eddy. Yes, this is true... unless the SubCA is technically constrained. In that case the auditing is less restrictive so that the CA can audit and should audit the SubCA for compliance and quality. The constraints provide protection but don't solve best practice such as key size, SAN inclusion etc so these need to be flowed down and monitored as per the amendments to the BR guidelines in ballot 105 last July.
Steve > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve.roylance=globalsign....@lists.mozilla.org] On Behalf Of Eddy > Nigg > Sent: 10 March 2014 23:07 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Seeking guidance on proceeding with KISA root inclusion request > > On 03/07/2014 07:10 AM, From spark0...@gmail.com: > > According to Mozilla's definition of independent party, KISA is > > independent organization from Sub-CAs(not employees nor director) > > The minute a CA signs a certificate of/for another CA, it's not independent at all. In > fact a tight relationship exists between the two parties and a CA can't audit > another CA. For this the BR sets forth a requirement for an independent audit by a > (different) auditing firm than the CA signer/issuer, in order to avoid any conflict of > interests. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > XMPP: start...@startcom.org > Blog: http://blog.startcom.org/ > Twitter: http://twitter.com/eddy_nigg > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
