On 11/04/15 00:24, Kathleen Wilson wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has > to happen for new audited/disclosed subCAs. > > Section 10 of the Inclusion Policy says: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > > “The CA with a certificate included in Mozilla’s CA Certificate Program MUST > disclose this information before any such subordinate CA is allowed to issue > certificates.” > > Additionally, section 8.1 of version 1.3 of the Baseline Requirements > specifies > when the audits must occur: “before issuing Publicly-Trusted Certificates, the > CA SHALL successfully complete a point-in-time readiness assessment performed > in > accordance with applicable standards under one of the audit schemes listed in > Section 8.1. The point-in-time readiness assessment SHALL be completed no > earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates > and SHALL be followed by a complete audit under such scheme within ninety (90) > days of issuing the first Publicly-Trusted Certificate.” > > What further clarification needs to be added to Mozilla’s CA Certificate > Policy > to make it more clear when the audit statements and disclosure has to happen > for > new subCAs?
My impression is that Mozilla need not be explicitly notified of new subCAs; the disclosure may take the form of an update on the CA's website (perhaps even just a new version of the CPS). If so, this would seem to make it difficult for Mozilla or others to monitor adherence to this policy. For a small number of CAs, I'm not sure where I am supposed to find these disclosures. For example, where are the (non-DigiCert/Verizon-operated) subCAs of Baltimore CyberTrust Root disclosed? (I checked the CPS, CP, http://cybertrust.omniroot.com/repository/ , https://www.digicert.com/digicert-root-certificates.htm , searched bugzilla.mozilla.org, and didn't find it -- I assume I'm missed something?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy