They way I see it there are basically 2 cases: 1) The root CA and the other CAs are not related. Those other CAs are *not* Sub-CAs, they are CAs on their own and are independent of the root CA. 2) The root CA and *all* Sub-CAs are the same organization.
What I see here being argued is that KISA should fall under 1). And I have no problem seeing KISA as being independent here, since I understand that they are so under the law. But this would mean the following for me: - The other CAs need to have an audit at least every year to check for compliance with *our* requirements, not the requirements from the Korean law. That is, we might have more requirements than the Korean law, and they need to be checked too. - There is no need for us to accept the KISA root CA, since they don't sign end user certificates and the LCAs need to have an audit anyway. We can just accept the LCAs that request it based on KISA's audits, assuming that they meet all the requirements. But I have yet to see that KISA has been audited to comply with all our requirements. Nothing in here says that KISA has been audited for compliance with the CA/Browser forum Baseline Requirements. There has been no clear indication what the Korean law now asks you to audit in the LCAs and whether that's equivalent to any of those audits we now accept. It's also not clear that all are requirements are being audited in those LCAs. I'm still of the opinion that we should not add KISA and that the LCAs should instead apply themself. I see no problem with KISA doing the audits. If they do not audit all our requirements some or all of those might need to be audited by an other independent party. Kurt On Tue, Mar 11, 2014 at 11:12:20AM +0900, ??? ????? wrote: > there was no and is no on-going financial relationship between KISA and all > the Sub-CAs. > (and of course there will be no) > > > 2014-03-11 11:04 GMT+09:00 Al Billings <abilli...@mozilla.com>: > > > On 3/10/14, 6:58 PM, spark0...@gmail.com wrote: > > > This might be a normal case for CA and Sub-CA in the business and that's > > why I am mentioning Korea Electronic Signature Act. > > > I do understand why BR is requesting for 'independency' of the auditor, > > but because KISA is designated by law to audit the accredited CAs, our > > relationship is clear(no corruption or mis-audit can happen). It is between > > the auditor and auditee. We also do not have any conflict of interest > > between KISA and Sub-CAs because we do not make any profit from the sub-CAs. > > > > The reasoning here is that there should be no ongoing financial > > relationship causing a conflict of interest, I believe. > > > > Al > > > > -- > > Program Manager > > Firefox Platform Security Team > > > > > > > > > -- > ???????? ????? > ??? ?????(G-ISMS, K-ISMS, ISO-27001) > 138-950 ??? ??? ??? 135 IT???? > Phone: (02)405-5434 > Fax: (02)405-5249 > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
