On 11/04/15 00:24, Kathleen Wilson wrote:
> Topic to discuss [1]:
> “(D3) Make the timeline clear about when the audit statements and disclosure 
> has
> to happen for new audited/disclosed subCAs.
> 
> Section 10 of the Inclusion Policy says:
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/
> 
> “The CA with a certificate included in Mozilla’s CA Certificate Program MUST
> disclose this information before any such subordinate CA is allowed to issue
> certificates.”
> 
> Additionally, section 8.1 of version 1.3 of the Baseline Requirements 
> specifies
> when the audits must occur: “before issuing Publicly-Trusted Certificates, the
> CA SHALL successfully complete a point-in-time readiness assessment performed 
> in
> accordance with applicable standards under one of the audit schemes listed in
> Section 8.1. The point-in-time readiness assessment SHALL be completed no
> earlier than twelve (12) months prior to issuing Publicly-Trusted Certificates
> and SHALL be followed by a complete audit under such scheme within ninety (90)
> days of issuing the first Publicly-Trusted Certificate.”
> 
> What further clarification needs to be added to Mozilla’s CA Certificate 
> Policy
> to make it more clear when the audit statements and disclosure has to happen 
> for
> new subCAs?

My impression is that Mozilla need not be explicitly notified of new subCAs; the
disclosure may take the form of an update on the CA's website (perhaps even just
a new version of the CPS). If so, this would seem to make it difficult for
Mozilla or others to monitor adherence to this policy.

For a small number of CAs, I'm not sure where I am supposed to find these
disclosures. For example, where are the (non-DigiCert/Verizon-operated) subCAs
of Baltimore CyberTrust Root disclosed? (I checked the CPS, CP,
http://cybertrust.omniroot.com/repository/ ,
https://www.digicert.com/digicert-root-certificates.htm , searched
bugzilla.mozilla.org, and didn't find it -- I assume I'm missed something?)

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to