On Thu, May 28, 2015 at 7:53 PM, David E. Ross <nobody@nowhere.invalid> wrote: > On 5/28/2015 4:32 PM, Kathleen Wilson wrote: >> I have started the wiki page for this, and I will appreciate your >> feedback on it. >> >> https://wiki.mozilla.org/CA:RootTransferPolicy > > It appears that some of the numbered items apply only to Physical > Relocation while others also apply to Change in Legal Ownership. This > appears implied by the statement under Personnel Changes. All of this > is confusing.
I agree it is confusing. I've read it several times and am still not clear. I think one of the reasons that it is not clear is that the term "CA" gets used for multiple things: 1) The entity that operates one or more CAs 2) A single CA which has policies, practices, procedures 3) The key pair and Distinguished Name of the single CA The concept of a "root transfer" could include transferring one, two, or three of these things. In one case, control of the entity that operates CAs is transferred as a whole. This could be due to corporate sale or due to reorganization of a larger entity (e.g. a Government operated CA moves from one ministry or department to another ministry or department). The existing entity does not change. In a second case, the entity currently operating the CA decides to no longer operate the CA and transfers the whole thing (policies, practices, procedures and keys) to a new entity. The original entity continues to exist and carry out other business, which may or may not include operating other CAs. In the third case, the entity currently operating the CA decides to transfer the key and right to the Distinguished Name (and possibly right to the policy object identifier for EV policies) to another entity. The new entity establishes its own policies, practices, and procedures. The last two cases could be seen as the same thing, as a CA can change their policies, practices, and procedures at any time, so the last case could be the second case with an immediate change in policy. This is where I would focus the root transfer policy. When legal control of a given CA changes, what is required? Must the entity that formerly controlled the CA notify Mozilla? Must the new entity notify Mozilla? How must the notification be provided? What information must be provided? What information must be public and what information is held confidential by Mozilla? I don't see these covered in the wiki and these seem like critical items for the policy. Separately there is transport of the "physical" embodiment of the CA -- that is transport of the private key between locations. This could occur due to a transfer of the CA or due to normal operations of the CA. WebTrust for CAs requires "the storage of required cryptographic materials (i.e., secure cryptographic device and activation materials) at an alternate location" for business continuity purposes, so every WebTrust CA will at some point have to transport the private key between locations. I suspect ETSI has a similar requirement. With this requirement in mind, I don't think it makes sense for Mozilla to specify a transport procedure or process in detail. Rather, I would simply focus on the fact that the WebTrust (or ETSI) requirements apply at all times, even during transport. So the CA must ensure that "physical access to CA [...] equipment is limited to authorized individuals",the equipment "is operated under multiple person (at least dual custody) control", and "unauthorized CA system usage is [able to be] detected" at all times. The auditor must confirm that there are appropriate procedures in place ensure that the requirements are met and those procedures are followed. This is already required by the overall Mozilla CA policy, so I don't think a supplemental policy is needed. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy