Hi, I think what we want to accomplish is that all CAs are properly audited with all our requirements. And from what you describe I see no problem with PKIoverheid. But I have the feeling that the Dutch government is an exception and can only hope that the others would follow the example.
You say that commercial parties can also apply for this with PKIoverheid. But they could also apply directly with Mozilla for inclusion, since I understand that they would also comply with Mozilla's requirements. I'm not sure what the best approach is. The advantage I see for applying directly with Mozilla instead of some super CA: - It's more transparent. Mozilla publishes all audit reports. - We can contrain the CAs more easily. - It's easier to disable a CA in case of problems. - The hierachy gets smaller The disavantages: - The new CA would need to apply in multiple programs like Mozilla and Microsoft. - Might give more work to Mozilla. Others? Kurt On Thu, Mar 20, 2014 at 03:59:35AM -0700, Policy Authority PKIoverheid wrote: > As the Policy Authority of the Dutch Governmental PKI program (PKIoverheid) I > would like to add our view to this discussion. We operate a program that is > similar in character to the Federal Common Policy CA. We operate one trust > anchor (the Staat der Nederlanden Root CA) for use with and within Dutch > Government. This trust anchor is already included in the major browser > products such as Mozilla, Microsoft and Apple. > > We enable parties - both governmental and commercial - to operate as > Certificate Service Providers under our Root CA. In doing so we have created > an infrastructure that can be used for communication within and with Dutch > government. Our Certificate Service Providers must adhere to our Certificate > Policies, that are based on ETSI TS 101456 and 102042 with a number of > additional PKIoverheid requirements such as the adherence to the CABforum > Baseline Requirements. The CSPs annualy undergo an external audit. This > certification is an ETSI certification with the addional PKIoverheid > requirements taken into account. > > This thread started with the fact that "several national certification > authorities are actually acting as super CAs without complete accountability > for the operations of their subsidiary CAs". This clearly is a problematic > practice, as this does not create the required transparency needed for a > trust system to operate correctly. A so-called super CA must at all times be > completely accountable for their sub-CAs. It is then the responsibility of > these sub-CAs to meet the publicly stated requirements of the Certificate > Policies of the super CAs, and undergo an external audit to that effect. The > Policy Authority PKIoverheid is completely accountable for the CSPs within > the PKIoverheid/Staat der Nederlanden hierarchy. > > Looking at the proposed requirements as posted by Kathleen we see the need > for all, bar the requirement for the Root CA organization to issue end-entity > certificates. In our opinion the fact that a trust anchor organization is > able, or does, issue end entity certificates does not add to the > trustworthiness of the system as a whole. The trust anchor organization must > ensure that all sub-CAs demonstrably adhere to the requirements that are > applicable to a trust anchor, by means of an external audit and publically > verifiable documentation and proof. > > Regards, > Mark Janssen > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
