-- Man Ho On 1/29/2015 7:10 AM, Jeremy Rowley wrote: > Some initial thoughts: > > 1) Membership in the CAB Forum is not required for a CA to commit to > complying with the BR, and if non-membership avoids any obligation to comply > with the BRs, I think you'll quickly see a mass exodus from the group. No > member of the CAB Forum is bound to its requirements by agreement or through > participation. Instead, the requirements are only imposed by the browsers > are part of their root programs. The question is only whether a CA can have their Webtrust audit statement indicate their commitment to comply with the BRs, rather than putting the commitment to comply statement in the CP/CPS. Therefore, the CA is still required to comply with BR according to Webtrust audit. > 2) The goal of Section 8.3 is for the CA to inform the public about which > certs are being issued in compliance with the BRs and which are not. It's > not a marketing requirement. It's a technical requirement to provide relying > parties (and browsers) information about how the CA operates. Section 8.3 > basically requires the CA to assert that it is doing the MINIMUM required to > issue certs. Any CA unwilling to assert this should not be issuing trusted > certs. The CA's assertion to issue certificate in accordance to BR is REQUIRED by Webtrust audit anyway. The assertion is also publicly disclosed with the audit report. Again, the question is only whether a CA should put a statement in the CP/CPS as section 8.3 required. If yes, it is a marketing requirement, because not aware of other audit requirements or standardization bodies that have such requirement, e.g. Webtrust, ETSI, even Mozilla's CP itself. > 3) Every CA should comply with the latest version of BRs. CAs who are so > inflexible that they can't keep up with the "minor" changes made by the CAB > Forum really shouldn't be issuing certs. Recent "minor" changes include > deprecation of 1024 bit certs, SHA2 migration, deprecation of internal names, > etc. These are pretty important issues, all of which should be promptly > implemented by CAs when adopted. Exactly. Changes in BR may be "minor" or "important" from different point of views. A CA may be in trouble of making a false statement in its CP/CPS if the latest version of BR suddenly changed. Worst of all, the BR is suddenly changed just before annual audit. But of course, the "minor" changes that you have mentioned should have already fulfilled by CAs. > 4) Although relying parties might not frequently review audit reports and CPS > docs, the Mozilla community does look at CPS docs. Asserting compliance in > the CPS lets the community know the criteria under which the CA is operated > and permits them to compare the CPS to a third party standard. Without the > assertion, the CA isn't telling you anything about which policy they are > operating under. I think Mozilla community should have no problem looking at Webtrust report and CA's assertion to which version of BR since it's required by Mozilla's CP. I understand that Kathleen is somehow maintaining a spreadsheet of CA audits, isn't it? This approach is actually a better alternative. > > Obviously, I think an exception to this simple requirement is a mistake. Obviously I don't think that section 8.3 of BR is a simple requirement. > > Jeremy > > > > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] > On Behalf Of Kathleen Wilson > Sent: Wednesday, January 28, 2015 3:49 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Question about BR Commitment to Comply > > All, > > https://wiki.mozilla.org/CA:BaselineRequirements > Currently says: "The CA's CP or CPS documents must include a commitment to > comply with the BRs, as described in BR section 8.3." > > I have been asked if a CA can have their Webtrust audit statement indicate > their commitment to comply with the BRs, rather than putting the commitment > to comply statement in the CP/CPS. > > Here are the reason: > > 1) We are not a member of CAB/Forum and do not have any mutual agreement that > can bind the obligations and responsibilities of both parties. It seems that > the BR keeps changing very often. > > 2) The requirement of BR section 8.3 is quite weird as there is no such > requirement in other audit criteria such as WebTrust. Would it be a marketing > requirement rather than a technical requirement? > > 3) Further to (1) above, the proposed statement in BR section 8.3 also > requires CA to adhere to the latest published version. But nobody can assure > compliance with it all the time. Even if a particular version number could be > stated, practically it'll take quite a long time to modify our CPS just due > to some minor changes in BR by CAB/Forum. > > 4) On the other hand, since CAs are required to perform Webtrust audit > annually anyway, it seems more appropriate for the Webtrust audit statement > to disclose which version of BR that the CA adhere to. > > I will appreciate your thoughtful and constructive suggestions about this. > > Thanks, > Kathleen > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy >
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
