Cut: > An unwatched RA and a sub-CA are effectively equivalent in power. A > watched RA and a sub-CA might not be, if the CA is exercising > effective control and limits on their issuance. There is a distinction > in the BRs between an RA and a sub-CA, with the RA having less onerous > requirements. One could say that the very existence of that > distinction implies that CAs have a duty to carefully watch their RAs.
The equivalency of power is not true most of the time. The term RA/DTP covers a lot of different roles. For example, four commonly used roles are: 1) An entity that does the translation of documents for the CA as defined in the EV Guidelines 2) An entity that gathers the validation documents and submits them to the CA for review in the validation process 3) An entity that identifies the subject identity information for a certificate (for example, in some schools the department may provide the identity proofing of a student that is getting a certificate) 4) An entity that provides verification of the entire certificate contents. Although #3 and #4 should perhaps be audited, by applying a broad requirement you end up capturing a lot more delegated entities than intended. The broad and diverse role of DTPs in the ecosystem is why the audit requirements in Section 8.4 were written to only require audits over those that provide domain validation. Whatever policy is decided, I'm hoping we can exclude translators and entities that are merely gathering documentation. Jeremy -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert.com@lists.mozilla .org] On Behalf Of Ryan Sleevi via dev-security-policy Sent: Thursday, March 9, 2017 6:32 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec: Next Steps On Thu, Mar 9, 2017 at 6:48 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > That seems to make sense to me. Given that the BRs have the concept of > a DTP, how can we best align the two in practice? Does requiring every > RA to have its own subCA do that? > (Wearing Google hat only for this statement) Have you considered having this discussion in the CA/Browser Forum? Google had planned to discuss this very topic at our upcoming F2F about how to address this, and would be very interested in collaborating with Mozilla on this. I mentioned this recently to Kathleen at the WebTrust TF meetings, but apologies for not mentioning to you as well. > > I recognize that Item 2 "replaces" the criteria for Section 8.2, but > such a > > replacement is neither reflected within the audit report produced > > (when complying with the BRs) with respect to the issuing CA's > > oversight of the DTP - that is, you might reasonably expect a > > qualification, but for > Mozilla > > to ignore said qualification, consistent with Item 2 of "Audit > > Requirements". > > Can an audit be qualified (in the audit sense) by virtue of the person > _doing_ the audit not being formally qualified (in the other sense!) > to use those criteria? I would expect audit qualifications to relate > to the audit subject, not the auditor. > (Back to non-Google hat) You've misunderstood. An auditor performing an audit is not going to "self-qualify" because they aren't licensed. HOWEVER, an Auditor examining the Principles/Criteria of an Issuing CA is going to examine the controls of that CA relative to the operation of DTPs and sub-CAs, and those Principles/Criteria are based on the Baseline Requirements. If the "sub" auditor is not properly licensed - despite that "sub" auditor meeting the definition of Mozilla's "replacement" 8.2, then the issuing CA should reasonably be expected to receive a qualification that their controls are insufficient for the criteria of the Baseline Requirements (which does not have the replacement 8.2) Does that make more sense? In the Sub-CA case, this is "Principle 2: SSL Service Integrity", Criteria 8.2, and for DTPs, Criteria 8.4 > >> Yes, I would expect externally-operated sub CAs to have the correct > >> audits from a Mozilla-qualified auditor. > > > > Just to be clear: Given the definitions above, you believe it's > acceptable > > for sub-CAs to be issued to parties on the basis of the CA's > > judgement as to whether there is "sufficient public information > > available to determine that the party is competent to judge the CA's > > conformance to the stated criteria", and that so long as they do so, > > it does not represent any form of violation of Mozilla Policy, even > > if the CA makes an error in that judgement? > > No, because in the case of a sub-CA, we require audits. And when we > receive them, if they were done by unqualified parties, the CA would > need to flag that, and we would make a judgement about that party's > suitability at the time. The issue here arises that, because of the > way things are set up, these RA's audits were not submitted to > Mozilla, and so Symantec didn't have to resolve the Schrodinger's Cat > of (qualified|not qualified and need us to make a judgement). > > Having danced enough angels for sufficiently long on the head of this > pin, though, it's clear we should fix this. I propose we switch our > auditor requirements to requiring qualified auditors, and saying that > exceptions can be applied for in writing to Mozilla in advance of the > audit starting, in which case Mozilla will make its own determination > as to the suitability of the suggested party or parties. This would > involve removing bullets 3-6 in the Audit section of 2.4, and > rewording bullet 2 to say something like the above. > I'm not sure that we can or should so easily dismiss this with a suggestion that we're dancing on the head of a pin here. I don't understand why you believe it's relevant the act of "Mozilla requiring disclosure of the audits". Can you help me understand where, in the policy, that's required? I highlight this because the question of "qualified or not qualified", for RAs (which are not disclosed), is one where the CA accepts a liability of the decision if they do not seek Mozilla's guidance. For the question of appropriately WebTrust licensed, this has an objective basis for which compliance with Mozilla can be demonstrated at the time the audit was accepted. However, if entering in the to the "CA's discretion" side of the availability of the public information, any CA that fails to obtain Mozilla's opinion a priori bears the liability and responsibility if they stuff that judgement up. I agree that removing the conflicting definition of qualified auditor is likely a suitable outcome, and a much welcome improvement, but I do think we owe it to the community to provide a greater degree of clarity then currently provided by this thread about the expectations related to such audits, both to the qualifications and the independence aspects. > > >> If they didn't have control of the private key of their issuing > >> intermediate(s) (as it seems they did not), then I do think this is > >> a practical distinction from them being an unconstrained > >> subordinate CA, in that they would e.g. not be audited for things like key management. > > > > So the extent of your concern is whether sufficient audit logs were > > maintained, since key management is simply a subset of ensuring an > > appropriate trail related to issuance and services. > > Well, and making sure it's in an HSM, and physically secure, and... right? > No. That's a means to an end, not an end in itself. The only reason you care about the HSM and physical security is because without the HSM and physical security, you can no longer trust the audit logs as sufficient, because you don't know who was signing with the key. But if you equally can't trust the audit logs, then to me, it's no different than if the key was not in an HSM - you still don't know who was signing with a key. I'm trying to separate out the objective from the means of meeting that objective, and I don't believe the key management aspect is a goal in and of itself, but rather one that helps achieve a goal. The difference between a sub-CA and a DTP in this case is that the issuance of the certificates themselves MAY be identified by the parent-CA, if the parent-CA is maintaining proper audit logs, but the information related to the cause of that issuance is dependent on the DTP. If you have reason to suspect that the parent-CA has not maintained proper audit logs - such as, for example, having received a qualification on Criteria 3.10 of the WebTrust for CAs - SSL Baseline Requirements regarding the proper protection of their audit logs and physical security for the protection of said logs - such as Symantec has - https://www.symantec.com/content/en/us/about/media/repository/Symantec-STN-W TCA-2015.pdf - then the ability to distinguish a DTP and a sub-CA is significantly diminished. > An unwatched RA and a sub-CA are effectively equivalent in power. A > watched RA and a sub-CA might not be, if the CA is exercising > effective control and limits on their issuance. There is a distinction > in the BRs between an RA and a sub-CA, with the RA having less onerous > requirements. One could say that the very existence of that > distinction implies that CAs have a duty to carefully watch their RAs. Well, that duty is also spelled out in the BRs and the WebTrust Principles and Criteria, but yes, I very much agree with that assessment, and that duty to carefully watch is one that is both logically derived from the principles and explicitly stated :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
