On Mon, May 22, 2017 at 7:58 PM, Peter Bowen <pzbo...@gmail.com> wrote: > > Why do you need to add 10,000 communication points? A TCSC is, by > definition, a subordinate CA. The WebPKI is not a single PKi, is a > set of parallel PKIs which do not share a common anchor. The browser > to CA relationship is between the browser vendor and each root CA. > This is O(root CA operator) not even O(every root CA). If a root CA > issues 10,000 subordinate CAs, then they better have a compliance plan > in place to have assurance that all of them will do the necessary > things. >
https://groups.google.com/d/msg/mozilla.dev.security.policy/yS_L_OgI5qk/OhLX9iyZBAAJ specifically proposed "For example, no requirement of audit by the enterprise holding the technically constrained intermediate, and no requirement for audit or disclosure of certificates issued by the enterprise from the technically constrained subordinate." You're certainly correct that, under today's scheme, TCSCs exemption from requirements under the Baseline Requirements simply requires Self-Audits (Pursuant to Section 8.7). However, that does not mean that TCSCs must be on the same infrastructure as the issuing CA - simply that "the CA which signed the Subordinate CA SHALL monitor adherance to the CA's CP and the SubCA's CPS" and a sampling audit, by the issuing CA, of either one certificate or three percent of certificates issued. That's a much weaker requirement than subCAs. > It seems this discussion is painting TCSCs with a broad brush. I > don't see anything in this discussion that makes the TCSC relationship > any different from any other subordinate CA. Both can be operated > either by the same organization that operates the root CA or an > unrelated organization. The Apple and Google subordinate CAs are > clearly not TCSCs but raise the same concerns. If there were 10,000 > subordinates all with WebTrust audits, you would have the exact same > problem. > Indeed, although the realities and costs of that make it unpractical - as do the risks exposed to CAs (as recently seen) in engaging in such relationships without sufficient and appropriate oversight. But I'm responding in the context of the desired goal, and not simply today's reality, since it is the goal that is far more concerning. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
