On 1/31/2015 3:42 AM, Jeremy Rowley wrote: > Snipped to try and make the convo less confusing. > > [MH] If that's the case, the trustworthiness of a Webtrust audit would be > weakened. Auditors should obtain the CA's assertion of compliance, and assess > whether it's reasonable with respect to the CA's CP/CPS and the target scope > of audit (i.e. the BR). And finally give their opinions in Webtrust audit > report for public knowledge. > [JR] Per 8.3 that assertion of compliance must (and should) be made publicly. > You're not representing to the auditors that the CA is compliant, you're > representing compliance to the Mozilla's end users. To me, that's a very > important assertion. [MH] The CA's assertion of compliance with the Webtrust audit report is also open to public. Since it is an important assertion, it must be read together with the audit report. If a CA fails some BRs according to "latest version" of BRs, but had already made that statement (probably because it was true in previous version), it becomes a false statement which in fact mislead end users. > > [MH] Requiring CA to comply with BRs is good thing. But I also point out that > once a CA put a statement of compliance with "latest version" of BRs in > CP/CPS, the CA has committed to public that it "has already complied" with > all potential changes of BRs at all time. That may be a false statement. The > proper approach is for Mozilla's CP to require the CA to perform audit on the > latest version of BR. And the audit report must state which version of BR > that the CA adhere to. > [JR] I agree, but the CA should also represent which version they are > complying with. Audits only happen annually. Reliance on certificates is a > year-around event. I want to know if the CA changes their policies to match > the most current version of the BRs. Unless you have a daily audit, that > only happens with a CA's assertion of compliance. [MH] BRs may be changed at any time before the next audit of a CA. For public knowledge whether the CA would need to change its practice due to changes of BR version, Mozilla had been doing this through Mozilla's communications and then maintained a spreadsheet. I think it is the better way. > > [MH] CA's assertion is a mandatory requirement of Webtrust audit. If an > auditor has prepared the audit report, it should be no doubt. > [JR]Only at the time of the audit. What about the other 364 days? [MH] As you said reliance on certificates is a year-round matter. I'd prefer to know exactly what BRs the CA has already complied, rather than being misled by a statement for the other 364 days. > > > >
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
