On 24/03/2017 21:03, Jakob Bohm wrote:
On 24/03/2017 19:08, Ryan Sleevi wrote:
On Fri, Mar 24, 2017 at 1:30 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
Examples discussed in the past year in this group include the Taiwan
GRCA roots and several of the SubCAs hosted by Verizon prior to the
DigiCert transition.
Apologies for not remembering, but I don't recall the relationship of
either of those discussions to what you described. However, it's very
easy
I'm wrong.
Could you link to the threads (ideally, the messages) you believe that
captures this description, so that I can better understand?
For Taiwan GRCA (Government Root CA) apparently operated by Chungwa
Telecom, this seems most obvious from:
Message-ID:
<mailman.83.1480762782.19729.dev-security-pol...@lists.mozilla.org>
Date: Sat, 3 Dec 2016 00:34:12 -0800 (PST)
From: lcchen.ci...@gmail.com
Subject: Re: Taiwan GRCA Root Renewal Request
For the Verizon rooted tree of multiple CAs, some hosted by Verizon,
some not, look at the long report that is:
Message-ID:
<mailman.489.1478201113.16819.dev-security-pol...@lists.mozilla.org>
Date: Thu, 3 Nov 2016 18:28:10 +0000
From: Jeremy Rowley <jeremy.row...@digicert.com>
Subject: Update on transition of the Verizon roots and issuance of SHA1
certificates
Peter is correct, we discussed something slightly different, so apologies
for misunderstanding what you were proposing versus what we discussed. It
sounds like what you're describing is what we discussed (white-label),
except the person signing the management assertion is also acting as a
Delegated Third Party for validation. However, because they're the ones
signing the assertion, they're the ones in scope for the audit
presented to
root stores - correct?
On this second point, there really should be two signed management
assertions and two public audit reports:
One for the "CA Operator", who needs to comply with every bit of the
BR, security and root program policy requirements. The "CA Operator"
must have a CP/CPS for the CA which is verbatim identical to the one
provided by the "CA Owner" and part of the audited CA Operation.
In practice, this would often be a "master" assertion and audit for all
the CAs hosted by that "CA Operator".
One for the "CA Owner", who needs to have a compliant CP/CPS, outsource
to a compliant "CA Operator", meet "Delegated Third Party" audit
requirements for any self-performed functions and provide a management
assertion and other evidence that they don't interfere with the
compliance of the "CA Operator" for their CA(s).
Both parties would have audit reports etc. submitted to the root
programs.
Such a double auditing process would solve most of the problems
commonly caused (according to others) by auditors only dealing with one
of the two parties and the other one falling through the cracks.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
