On Tue, Nov 3, 2015 at 4:24 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > Topic to discuss [1]: > “(D3) Make the timeline clear about when the audit statements and disclosure > has to happen for new audited/disclosed subCAs. > > Section 10 of the Inclusion Policy says: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > “The CA with a certificate included in Mozilla’s CA Certificate Program MUST > disclose this information before any such subordinate CA is allowed to issue > certificates.” > > Additionally, section 8.1 of version 1.3 of the Baseline Requirements > specifies when the audits must occur: “before issuing Publicly-Trusted > Certificates, the CA SHALL successfully complete a point-in-time readiness > assessment performed in accordance with applicable standards under one of > the audit schemes listed in Section 8.1. The point-in-time readiness > assessment SHALL be completed no earlier than twelve (12) months prior to > issuing Publicly-Trusted Certificates and SHALL be followed by a complete > audit under such scheme within ninety (90) days of issuing the first > Publicly-Trusted Certificate.” > > What further clarification needs to be added to Mozilla’s CA Certificate > Policy to make it more clear when the audit statements and disclosure has to > happen for new subCAs?
It would be good to clarify whether "subordinate CA" means the operator of the subordinate CA (a company or individual) or if it means the CA itself (e.g. the tuple of keypair and distinguished name). I think that the reasonable view is that: - Each operator of one or more CAs must have publicly posted either a Type 1/Point in Time audit report or a Type 2/Period of Time audit report prior to receiving a cross-certification from another CA that is publicly trusted (e.g. is either in the trust store or is themselves cross certified) - Each cross-certificate must be publicly disclosed prior to the subject CA issuing certificates. The disclosure must include the items listed (e.g. each individual subject CA must list the CP, CPS, operator name, and operator URL) and must be updated when reasonably possible to include a test website URL. (see https://wiki.mozilla.org/CA:SubordinateCA_checklist#Third-Party_Subordinate_CAs_that_are_not_Technically_Constrained) I would also add an allowance for the case where a cross-certficate is issued to an existing CA which already has another public cross-certificate and is already issuing certificates. In this case the new cross-certificate and subject CA information must be disclosed with X business days of issuance. This ensures that the audit is complete before cross-certification and that there is not a gap where the cross-certified CA is issuing certificates without being disclosed. It also ensures that all cross-certificates are disclosed, not just the first one a CA receives. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy