Kathleen, I think we need to drill down into what is meant by "audit". Also, I don't think a CA who is under ongoing audit obligations should have a special "audit" just for a root transfer. Neither should the current CA that is operating under audit be required to have a special audit. If two entities (A and B), operating CAs under the WebTrust requirements and both approved as operators by Mozilla transfer root key from A to B, then the only thing required should be documented custody and procedural controls that are audited. So one audit - that A and B observed stated custody controls and security procedures when they effectuated the transfer from one location to another. Also, let's assume, for the sake of discussion, that the root key transfer can be done through a secure VPN tunnel in an encrypted and controlled fashion with an out-of-band transfer of activation data for the encapsulated key, such that the key moves halfway around the world without physical courier. What then? Ben
> >-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Kurt Roeckx Sent: Friday, April 24, 2015 1:37 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Policy about root cert transfers > >On 2015-04-24 01:21, Kathleen Wilson wrote: >> >> 4) Before the new CA begins issuing certs in the transferred CA cert >> hierarchy, there should be an audit performed at the new CA's site to >> confirm that the transfer was successful and that the root cert is >> ready to resume issuance. > >Would this be a point in time readiness audit, like we expect any new root to be audited? > > >Kurt > >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
