On 4/7/14, 4:27 PM, Kurt Roeckx wrote:
On Mon, Apr 07, 2014 at 04:18:17PM -0700, Kathleen Wilson wrote:
If I'm understanding the input on this correctly, then an outside auditor
needs to be involved in some way. But that can mean that the outside auditor
verifies that the audit criteria being used includes the Baseline
Requirements and the WebTrust or ETSI criteria that Mozilla requires, and
that the outside auditor reviews the Super-CA's audit report of each
subordinate CA to confirm that the subCA was indeed evaluated according to
the stated criteria.
Correct?
Those super CAs already need to get an audit. I think what he's
saying is that that audit should include their audit of the sub
CAs.
Or you would have to do some checks that they really follow those
rules.
I'm still conflicted about whether a Super-CA can audit their
subordinate CAs. And if they can, then what assurances do we have that
the audit was done in an unbiased manner and according to the criteria
that we require.
PS: Did you communicate those things to the (known) super CAs?
Here's the pending and included Super-CAs that I'm aware of.
KISA (Government of Korea, Bug #335197)
https://bugzilla.mozilla.org/show_bug.cgi?id=335197#c168
"...KISA CA is a Super-CA, so the following applies:
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs";
ICP-Brasil (Government of Brazil, Bug #438825)
https://bugzilla.mozilla.org/show_bug.cgi?id=438825#c126
"The conclusion of the discussion is:
https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
....Therefore, this request for inclusion of the ICP-Brasil root will be
on hold, pending inclusion of ICP-Brasil's subordinate CAs. The
subordinate CAs should create separate Bugzilla bugs and apply for
inclusion themselves as separate trust anchors"
SUSCERTE (Government of Venezuela, Bug #489240)
https://bugzilla.mozilla.org/show_bug.cgi?id=489240#c31
"Please have each sub-CA file a separate bug requesting the inclusion of
their certificate"
CCA (Government of India, Bug #557167)
https://bugzilla.mozilla.org/show_bug.cgi?id=557167#c16
"Create a separate bug for each of the 7 intermediate CAs to be
separately evaluated for inclusion as a trust anchor in NSS."
US FPKI (Government of US, Bug #478418)
A representative of the US FPKI CA has been involved in this discussion.
My impression is that US FPKI meets the criteria listed in the wiki page
that are needed before the Super-CA can have their root included, so I
don't expect that they will need to have their subCAs apply for
inclusion separately. Additionally, US FPKI has agreed to have their CA
hierarchy constrained (e.g. to *.us, *.gov and *.mil). There will be
another discussion about this CA when we believe our verification
software will properly constrain the CA and will sufficiently handle the
complexities of the old hierarchy (which is cross-signed) -- needs to be
tested with mozilla::pkix.
PKIoverheid (Government of Netherlands, Bug #551399)
A representative of the PKIoverheid has been involved in this
discussion. Note that PKIoverheid is already included, but they have
demonstrated and continue to demonstrate the requirements for Super-CAs
listed in the wiki page. Their subCAs are audited annually by an
external third-party.
Please let me know if you think other included or pending CAs are Super-CAs.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
