On 08/03/2017 06:27, Ryan Sleevi wrote:
On Tue, Mar 7, 2017 at 11:23 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
I saw nothing in Gervs posting suggesting that banning all kinds of
RA/DTP relationships was the intended effect.
But would you also acknowledge that your originally stated "The point is
NOT to prohibit RAs" is similarly not provided?
I highlight this, because I want to make sure you're not prematurely
dismissing policy suggestions because you disagree.
I am simply going by the wording in Gervs posting not stating what you
stated. I presume that if Gerv wanted to complete eliminate the DTP
concept for Mozilla trusted CAs, then that's what he would have written.
As to the rest of your message, you describe what have historically been
called RAs/DTPs. You have not, however, answered my question - which is
what impact, if any, do you believe would happen if Mozilla considers the
policy I suggested: That is, to require that anything which 'historically'
was considered an RA be treated as an externally operated sub-CA.
For the kind of RA that is a combined reseller/control everything
related to issuing (the Symantec case), there would be no significant
change in burden for the RA.
For the kind of RA that only does specific relevant parts of validation
(a "traditional" RA), the suggested policy as written would "simply"
require the CA to set up and maintain one (set of) subCAs for each of
their RAs, while your rephrasing as a ban on RA/DTP relationships would
impose the full cost of a formal WebTrust (etc.) audit on RAs that only
perform a specific limited function that could be audited much cheaper,
provided the CA systems were set up to have little dependency on
certificate specific activities and security at the RAs.
This misunderstands Policy 1 then, and is perhaps the substance of our
unintentional disagreement.
if a CA sets up and maintains one (set of) sub CAs for each RA, then each
of those subCAs would need to be audited. This is no different than the
existing requirements, within the Baseline Requirements, that each DTP be
audited. I would highlight Section 8 of the Baseline Requirements for you,
and ask that you clarify where, under the existing policies (e.g. ignoring
any policy proposal) you believe there is any provision for allowing a DTP
to be "audited much cheaper".
If you believe such a thing is possible (I would argue incorrectly so, but
hear me out), then what we're effectively saying is that a set of
Principles and Criteria are not examined by the audit, because the
operation and majority of the controls are managed by the "Issuing CA" - at
least, within the world today of CA/RA relationships. If we believe such a
thing is accepted (and again, not supported by the Baseline Requirements,
and to the extent of my interactions with various auditor/practitioners, I
do not believe currently supported by WebTrust), then I hope you can also
see that we can use that self-same logic to conclude that a DTP operating
as a externally operated sub-CA - but one in which the "Issuing CA" handles
the operation and majority of controls for - is effectively the same thing.
Do you agree with that logic? Can you clarify where and why you disagree
with the analysis above?
Having not fully studied the exact wording of the BRs, I operate under
the assumption that the longer phrasing "... an audit report, issued
under the auditing standards that underlie the accepted audit schemes
found in Section 8.1 ..." as quoted from section 8.4 in earlier
discussion of the Symantec case was intentionally so phrased to
indicate that the audit of a DTP would not be the same as a full
WebTrust CA audit, but would only cover those aspects of those criteria
which would be applicable to the performance of the particular DTP role.
If that quote is indeed from the relevant part of the BRs, then I
would posit that if the BR authors had wanted all kinds of DTPs to be
subject to a full WebTrust audit, they would not have used this more
complex phrase.
For example, an RA whose sole involvement is to receive a daily list of
company name/idno/address/authorized signatory for pending
applications, go down to the state hall of records and report back
which ones match/do not match official company records (to support EV
certification for that state) would only need auditing of that activity
and the security of the system used to exchange that list and report
with the CAs central validation team.
Please provide a citation to the Baseline Requirements or Mozilla policy to
support this statement. I would suggest Section 8.4 provides
counter-evidence to this claim, and as such, because the argument rests on
this claim, needs to be addressed before we might make further progress.
I refer to the earlier quote ostensibly from section 8.4 itself.
Worse, I chose the precise term of "Delegated Third Party" to avoid
confusion with the explicitly-called out case within the Baseline
Requirements regarding "Enterprise RA"
Sorry, I overlooked the existence of a special case for the "Enterprise
RA" scenario. That part can then be eliminated from the discussion.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
