This is one of the issues with a WebTrust audit in that WebTrust Auditors may not look at a CP/CPS depending on the management assertion. The trust in PKI is based on documented procedures so to not operate against a CP/CPS degrades the trust in PKI. The US Federal PKI have run into a similar issue where trust in Federal PKI is based on assurance strength of the certificate policies in a CP/CPS. The audit must verify a CA is following its operational practices to maintain that trust. This model only works if the validation is by a certificate policy and not simple path validation.
If this was added to the Mozilla CP, how would it be enforced and verified? The WebTrust letter would say it explicitly? What are your pro/cons? Date: Wed, 23 Nov 2016 10:47:06 +0000 From: Gervase Markham <g...@mozilla.org> To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Let's Encrypt Blocklist Incident, November 21 2016 Message-ID: <xuadntbsnnk37qjfnz2dnuu7-tvnn...@mozilla.org> Content-Type: text/plain; charset=utf-8 On 22/11/16 20:16, j...@letsencrypt.org wrote: > organization. Issuance to .mil is not allowed due to contractual > obligations that are reflected in our Certification Practice > Statement. I have just been investigating this issue, as documented in the bug Kathleen links to. Mozilla policy requires that certificates issued in contravention of a CA's CP/CPS should be revoked, which LE have done. Other than that, Mozilla policy does not directly require (somewhat to my surprise) that a CA operate in accordance with its CP and CPS. We require this indirectly because the audits that we require, require it. So: should Mozilla's policy directly require that CAs operate in accordance with the appropriate CP/CPS for the root(s) in our store? I can see both pros and cons to directly mandating this. Gerv NOTICE: Protiviti is a global consulting and internal audit firm composed of experts specializing in risk and advisory services. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. This electronic mail message is intended exclusively for the individual or entity to which it is addressed. This message, together with any attachment, may contain confidential and privileged information. Any views, opinions or conclusions expressed in this message are those of the individual sender and do not necessarily reflect the views of Protiviti Inc. or its affiliates. Any unauthorized review, use, printing, copying, retention, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email message to the sender and delete all copies of this message. Thank you. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy