On 2015-01-28 23:49, Kathleen Wilson wrote:
All,
https://wiki.mozilla.org/CA:BaselineRequirements
Currently says: "The CA's CP or CPS documents must include a commitment
to comply with the BRs, as described in BR section 8.3."
section 8.3 says:
| The CA SHALL publicly give effect to these Requirements and represent
| that it will adhere to the latest published version. The CA MAY
| fulfill this requirement by incorporating these Requirements directly
| into its Certificate Policy and/or Certification Practice Statements
| or by incorporating them by reference [...]
So it says they must commit to it. It does not say it must be in the CP
or CPS, it just recommends to put it there since it's the most obvious
place to put it. But I think any document created the by CA that says
so should be fine.
I have been asked if a CA can have their Webtrust audit statement
indicate their commitment to comply with the BRs, rather than putting
the commitment to comply statement in the CP/CPS.
Isn't an audit statement done by an auditor? How can an auditor
indicate that the CA is committed to doing it? It's the CA that needs
to commit to it.
1) We are not a member of CAB/Forum and do not have any mutual agreement
that can bind the obligations and responsibilities of both parties.
I don't see how that is relevant. The CAB/Forum is just like any other
standard body. If you wish you can join it, but you're not required to.
The obligations and responsibilities are not with CAB/Forum, but with
the the of the world that would use the certificates.
2) The requirement of BR section 8.3 is quite weird as there is no such
requirement in other audit criteria such as WebTrust. Would it be a
marketing requirement rather than a technical requirement?
I see this as a pure technical requirement that you will follow the
requirements, and that you will follow the new requirements. I see no
other reason why you would be forced to follow them other then that you
say you will.
3) Further to (1) above, the proposed statement in BR section 8.3 also
requires CA to adhere to the latest published version. But nobody can
assure compliance with it all the time. Even if a particular version
number could be stated, practically it'll take quite a long time to
modify our CPS just due to some minor changes in BR by CAB/Forum.
When they adopt something, they also give you a reasonable time to
comply with those changes.
4) On the other hand, since CAs are required to perform Webtrust audit
annually anyway, it seems more appropriate for the Webtrust audit
statement to disclose which version of BR that the CA adhere to.
I think that the webtrust audit is also based on a certain version of
the BR and that they might not have been updated yet to check the latest
version. So I think the audit report should indicate which version was
checked. If an audit was not for the last version that doesn't mean CA
shouldn't already be complying with the later version or be working on
complying with it.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
