On Tue, Mar 7, 2017 at 9:27 PM, Ryan Sleevi via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: ]> >> For example, an RA whose sole involvement is to receive a daily list of >> company name/idno/address/authorized signatory for pending >> applications, go down to the state hall of records and report back >> which ones match/do not match official company records (to support EV >> certification for that state) would only need auditing of that activity >> and the security of the system used to exchange that list and report >> with the CAs central validation team. > > > Please provide a citation to the Baseline Requirements or Mozilla policy to > support this statement. I would suggest Section 8.4 provides > counter-evidence to this claim, and as such, because the argument rests on > this claim, needs to be addressed before we might make further progress.
Section 8.4 says: " If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement." If the DTP is only performing the functions that Jakob lists, then they only need an auditor's opinion covering those functions. In fact there is no way for an auditor to audit functions that don't exist. For example, consider the WebTrust for CA criteria called "Subordinate CA Certificate Life Cycle Management". If the only CA in scope for the audit does not issue Subordinate CA Certificates, then that criteria is not applicable. Depending on the auditor, it might be that the CA needs to write in some policy (public or private) "the CA does not issue Subordinate CA Certificates." Many auditors vary how much they charge for their work based on the expected effort required to compete the work. I believe Jakob's point is that an audit where all the criteria are just "we do not do X" is very quick -- for example a DTP that does not have a HSM and does not digitally sign things is going to be a much cheaper audit than one that does have a HSM and signs things under multi-person control. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy