In-line below On Wed, Jan 5, 2022 at 2:00 AM Moudrick M. Dadashov <[email protected]> wrote:
> > *The audit report* > > You explained that "*Audit covered all relevant company parts under > "Telia Company AB" including "Telia Finland Oyj". I still can't understand > why this fact is hard to understand.", *the problem here is that we need > a single legal entity as the CA cooperates with other PKI participants - > these roles must be disclosed clearly (no matter who owns what). > > If Telia Finland Oyj is the CA, then all others, including Telia Company > AB, should be PKI participants. You need to disclose this. In the meantime > the audit report states: > > "*Telia makes use of external registration authorities for subscriber > registration activities, as disclosed in Telia's business practices. Our > procedures did not extend to the controls excercised by these external > registration authorities*." > > So, we have two different audit scenarious here: > > a) as the audit report is issued to the CA known as Telia Company AB, then > the other PKI participants - Telia Finland Oyj and Cygate AB need to be > audited according to their roles. > > b) in case if Telia Finland Oyj is audited as the CA, then the other two > PKI participants - Telia Company AB and Cygate AB need to be audited > according to their roles. > > Again, this has nothing to do with ownership relationship. > If I understand correctly, you are trying to highlight the requirements of Section 8.4 of the Baseline Requirements, namely: *For Delegated Third Parties which are not Enterprise RAs, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit* *schemes found in Section 8.4, that provides an opinion whether the Delegated Third Party’s performance complies with either the Delegated Third Party’s practice statement or the CA’s Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions.* Is that correct? > *Audit scope* > > Sorry, I cant accept your arguments, see *The audit report *above. > If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent. There’s been quite a bit of past discussion of this in the CA/Browser Forum, particularly during the WebTrust and ETSI updates. This has included discussions about of the expectations for who needs audits when performing particular functions (e.g. the local lawyer in South America who gets copies of documents from the courthouse, verifies them, and uploads them from their home machine was one such point of discussion). More recently, they’ve included discussions about the need for greater transparency, given ETSI ESI representatives have shared they’re pursuing paths that reduce transparency and accountability. I think your point about transparency, and the need for it, when involving DTPs is apt. However, that doesn’t require tackling that by scope of the CA’s audits, which WebTrust representatives has highlighted is problematic (generally in the exact same reasons ETSI sees it advantageous), it allows simply for the DTP to be audited. Pekka, Can you share the audits for these two DTPs? I believe that may address part of the concern Moudrick is raising. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFFDo5jU5LixVhMKym%3DFPYN7KvUBfmyv%3D4xt7YE6%3Db90g%40mail.gmail.com.
