I agree with Peter that the policy shouldn’t detail the steps for Physical Relocation. As written, it seems to confuse offline roots with online issuing CAs that are typically housed in a data center. Moving a CA’s online operations to a new data center is quite different from moving parts of an offline root from one location to another, the latter being something that happens regularly for the purposes of signing new issuing CAs, CRLs, etc.
On 5/30/15, 8:25 AM, "Peter Bowen" <pzbo...@gmail.com> wrote: >On Thu, May 28, 2015 at 7:53 PM, David E. Ross <nobody@nowhere.invalid> >wrote: >> On 5/28/2015 4:32 PM, Kathleen Wilson wrote: >>> I have started the wiki page for this, and I will appreciate your >>> feedback on it. >>> >>> https://wiki.mozilla.org/CA:RootTransferPolicy >> >> It appears that some of the numbered items apply only to Physical >> Relocation while others also apply to Change in Legal Ownership. This >> appears implied by the statement under Personnel Changes. All of this >> is confusing. > >Separately there is transport of the "physical" embodiment of the CA >-- that is transport of the private key between locations. This could >occur due to a transfer of the CA or due to normal operations of the >CA. > >WebTrust for CAs requires "the storage of required cryptographic >materials (i.e., secure cryptographic device and activation materials) >at an alternate location" for business continuity purposes, so every >WebTrust CA will at some point have to transport the private key >between locations. I suspect ETSI has a similar requirement. > >With this requirement in mind, I don't think it makes sense for >Mozilla to specify a transport procedure or process in detail. >Rather, I would simply focus on the fact that the WebTrust (or ETSI) >requirements apply at all times, even during transport. So the CA >must ensure that "physical access to CA [...] equipment is limited to >authorized individuals",the equipment "is operated under multiple >person (at least dual custody) control", and "unauthorized CA system >usage is [able to be] detected" at all times. The auditor must >confirm that there are appropriate procedures in place ensure that the >requirements are met and those procedures are followed. This is >already required by the overall Mozilla CA policy, so I don't think a >supplemental policy is needed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
