It is stated at the law, and the entire procedure is controlled by the government. Because it is the law, if the subCAs do not follow the policies it would be breaking the law. Please understand that some countries prefer the government to be involved rather than an outside auditor(like consulting firms) for the transparency of the procedure.
2014년 4월 2일 수요일 오후 3시 17분 40초 UTC+9, David E. Ross 님의 말: > On 4/1/2014 8:11 PM, Kathleen Wilson wrote: > > > On 4/1/14, 11:12 AM, Kathleen Wilson wrote: > > >> On 3/31/14, 4:01 PM, Kathleen Wilson wrote: > > >>> On 3/18/14, 11:54 AM, Kathleen Wilson wrote: > > >>>> All, > > >>>> > > >>>> The only place where we currently describe Super-CAs is here: > > >>>> > > >>>> https://wiki.mozilla.org/CA:SubordinateCA_checklist > > >>>> “In the situation where the root CA functions as a super CA such that > > >>>> their CA policies don't apply to the subordinate CAs (including > > >>>> auditing), then the root CA should not be considered for inclusion. > > >>>> Rather, the subordinate CAs may apply for inclusion themselves, as > > >>>> separate trust anchors.” > > >>>> > > >>>> > > >>>> I’d like to clarify this text, so that CAs who are super-CAs will > > >>>> realize that it applies to them. > > >>>> > > >>> > > >>> > > >>> Thanks to all of you who have commented on this. Based on your input, > > >>> here's a new proposal: > > >>> > > >>> -- > > >>> Some CAs sign the certificates of subordinate CAs to show that they have > > >>> been accredited or licensed by the signing CA. Such signing CAs are > > >>> called Super-CAs, and their subordinate CAs must apply for inclusion of > > >>> their own certificates until the following has been established and > > >>> demonstrated: > > >>> - The Super-CA’s documented policies and audit criteria meet the > > >>> requirements of Mozilla’s CA Certificate Policy, which includes the > > >>> CA/Browser Forum’s Baseline Requirements, and includes sufficient > > >>> information about verification practices and issuance of end-entity > > >>> certificates. > > >>> - The Super-CA is at all times completely accountable for their > > >>> subordinate CAs, and the Super-CA ensures that all subordinate CAs > > >>> demonstrably adhere to the Super-CA’s documented policies and audit > > >>> criteria. > > >>> - The Super-CA provides publicly verifiable documentation and proof of > > >>> annual audits for each subordinate CA that attest to compliance with the > > >>> Super-CA’s documented policies and audit criteria. > > >>> - The subordinate CAs do not themselves act as a Super-CA or sign a > > >>> large number of public third-party subordinate CAs, making it difficult > > >>> for Mozilla and others to annually confirm that the full CA hierarchy is > > >>> in compliance with Mozilla’s CA Certificate Policy. > > >>> -- > > >>> > > >> > > >> > > >> I've updated the wiki page: > > >> > > >> https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs > > >> > > >> Comments, corrections, and recommendations on this are still welcome. > > >> > > >> Thanks! > > >> Kathleen > > >> > > > > > > > > > > > > I think we need to add one more bullet point to this regarding when it > > > is OK for the Super-CA to be the auditor of its subordinate CAs. > > > > > > http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > > > "14. By "independent party" we mean a person or other entity who is not > > > affiliated with the CA as an employee or director and for whom at least > > > one of the following statements is true: > > > - the party is not financially compensated by the CA; > > > - the nature and amount of the party’s financial compensation by the CA > > > is publicly disclosed; or > > > - the party is bound by law, government regulation, and/or a > > > professional code of ethics to render an honest and objective judgement > > > regarding the CA." > > > > > > For instance, in the KISA discussion it was established that KISA is an > > > independent organization from their subCAs, they are not financially > > > compensated for the audits, and they are bound by government regulation > > > to do the audit. So, can KISA (as a Super-CA) audit their subCAs? > > > > > > Kathleen > > > > I'm not sure I am comfortable with a "super CA" auditing the CAs it > > accedits or licenses. Yes, the super CA should indeed oversee (not > > overlook) the operations of its subordinate CAs to ensure the latter > > adhere to the former's policies. However, I think it is important that > > an outside auditor verifies that the super CA is indeed exercising that > > oversight and that the subordinate CAs are indeed adhering to the > > policies. > > > > > > -- > > David E. Ross > > > > The Crimea is Putin's Sudetenland. > > The Ukraine will be Putin's Czechoslovakia. > > See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
