On Mon, Apr 07, 2014 at 04:18:17PM -0700, Kathleen Wilson wrote: > > > >http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > > > >"14. By "independent party" we mean a person or other entity who is not > >affiliated with the CA as an employee or director and for whom at least > >one of the following statements is true: > >- the party is not financially compensated by the CA; > >- the nature and amount of the party's financial compensation by the CA > >is publicly disclosed; or > >- the party is bound by law, government regulation, and/or a > >professional code of ethics to render an honest and objective judgement > >regarding the CA." > > > >For instance, in the KISA discussion it was established that KISA is an > >independent organization from their subCAs, they are not financially > >compensated for the audits, and they are bound by government regulation > >to do the audit. So, can KISA (as a Super-CA) audit their subCAs? > > > >Kathleen > > > > > If I'm understanding the input on this correctly, then an outside auditor > needs to be involved in some way. But that can mean that the outside auditor > verifies that the audit criteria being used includes the Baseline > Requirements and the WebTrust or ETSI criteria that Mozilla requires, and > that the outside auditor reviews the Super-CA's audit report of each > subordinate CA to confirm that the subCA was indeed evaluated according to > the stated criteria. > > Correct?
Those super CAs already need to get an audit. I think what he's saying is that that audit should include their audit of the sub CAs. Or you would have to do some checks that they really follow those rules. PS: Did you communicate those things to the (known) super CAs? Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
