On 23/09/2016 14:29, Kurt Roeckx wrote:
On 2016-09-23 00:57, Peter Bowen wrote:
Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what is required by Mozilla. I
suspect this might also span to ETSI audit documentation, but I don't
know the ETSI process as well, so will leave it to some else to
determine if there is confusion there.
So at least 1 thing I miss in those audit reports is which CAs are
covered. If you look at the CAs they disclosed, how can we be sure that
the audit actually covers that CA? I think the report should cover at
least all root and intermediate CAs that are required to be disclosed by
Mozilla.
Except those that are covered by separate Audit reports (also
submitted). Examples would include cross-signed copies of other root
CAs (which already submit audit reports), as well as CAs covered by
submitted audit reports of other parts of the same CA organization (for
example, StartCOM might be cross-signed by WoSign but audited
separately, and the WoSign EV SubCA is audited separately under
stricter rules).
For such certificates it would be enough for the parent CA audit report
to list them and state that separate audit reports should be checked
for those (the auditor of the parent CA audit report may not know the
outcome of the the subCA audit when issuing his report on the parent
CA). Of cause the audit of the parent CA should still audit the
controls that prevent issuing SubCA certificates that are unlikely to
be compliant, regardless if those controls are "we only sign our own
in-house SubCAs using a multi-person signing ceremony" or "we sign any
SubCA that pays a fee and passes a full BR audit by Ernst, Young or
Deloite".
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
