Hi, I have a few questions: - Are all those subordinate CAs part of the government? - Do all audit criteria for approving the subordinate CA match those that are required by Mozilla?
If both of those are the case, I see no problem adding it. Kurt On Wed, Mar 19, 2014 at 07:52:20PM +0000, Brown, Wendy (10421) wrote: > With full disclosure that I have applied for the US Federal Common Policy CA > to be included as a trust anchor (even though we haven't made it thru the > process yet). I question the proposal to try and have all the > cross-certified or subordinate CAs individually apply to be trust anchors. > In the case of the US government this would defeat the purpose of trying to > get the Federal Common Policy CA in the trust store as the single trust > anchor for the US federal government. > > We do publicly disclose all the CAs we have certified, we do require > independent audits of each and every CA, the Common Policy CP and a redacted > version of our CPS is publicly available as is the criteria for approving the > subordinate CAs, although they each have to have their own CPS which we have > mapped to the CP. Not all of these subordinate CAs even operate a Root CA, > because they are supposed to be subordinate to the Federal Common Policy CA. > > Those CAs that are cross-certified with the Federal Bridge CA (and therefore > have a valid path to the Federal Common Policy CA) operate under their own CP > and CPS, but their CP has to have been mapped to the Federal Bridge CP which > is again publicly available and they are required to undergo an annual PKI > audit which includes independent assessment that they are operating under a > CPS that maps to their CP and they are incompliance with the Memorandum of > Agreement with the Federal PKI Policy Authority. > > Thanks, > Wendy > > Wendy Brown > Protiviti Government Services > 703-299-4705 (office) 703-965-2990 (cell) > > wendy.br...@protiviti.com > wendy.br...@fpki.gov > > > > NOTICE: Protiviti is a global consulting and internal audit firm composed of > experts specializing in risk and advisory services. Protiviti is not licensed > or registered as a public accounting firm and does not issue opinions on > financial statements or offer attestation services. > > This electronic mail message is intended exclusively for the individual or > entity to which it is addressed. This message, together with any attachment, > may contain confidential and privileged information. Any views, opinions or > conclusions expressed in this message are those of the individual sender and > do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any > unauthorized review, use, printing, copying, retention, disclosure or > distribution is strictly prohibited. If you have received this message in > error, please immediately advise the sender by reply email message to the > sender and delete all copies of this message. Thank you. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
