Thanks, Peter "*Mozilla has never required that all legal entities be disclosed or* *receive separate WebTrust audits when the CA operations are under common management and governance.*"
I'm afraid this is a different case - BTW so far nobody requested separate audits. The applicant - Telia Finland Oyj is a legal entity (with its own management) and the fact that its owned by another company (Telia Company AB) doesn't create any privileges for the latter, meaning that if the owner is a PKI participant, its roles, obligations need to be clearly disclosed. According to the audit report I quoted earlier, Telia Company AB is the CA. "I* do not believe that what Telia is presenting is materially different from what other CAs present*." The CA's you are refering to are legal entities doing CA business, this is not the case here - Telia Company AB and its affiliates are telcos/ISPs and from business point of view their income from the CA operations relative to their business is near 0%. So from the root program point of view this CA is unique. " *Mozilla does not require that a CP exist at all. It is fullyacceptable to only have a CPS - that is a single document that lays out the practices of the CA*." I'm sure you know better what Mozilla require, but I'm relying on the publicly available policy, see section 3.3 here https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities Thanks, M.D. On Wed, Jan 5, 2022, 11:49 Peter Bowen <[email protected]> wrote: > Moudrick, > > Thanks for clearly breaking down your concerns. Based on this, and > the other messages in this thread, I don't think that some of these > are issues under the Mozilla policy. Please see my comments below. > > On Tue, Jan 4, 2022 at 11:00 PM Moudrick M. Dadashov > <[email protected]> wrote: > > > > Disclosing shared CA resources > > > > I’m looking for the CA's human/material resources that are shared with > third parties (irrelevant to ownership), in your response I see only the > names of three companies. > > > > > > The audit report > > > > You explained that "Audit covered all relevant company parts under > "Telia Company AB" including "Telia Finland Oyj". I still can't understand > why this fact is hard to understand.", the problem here is that we need a > single legal entity as the CA cooperates with other PKI participants - > these roles must be disclosed clearly (no matter who owns what). > > > > If Telia Finland Oyj is the CA, then all others, including Telia Company > AB, should be PKI participants. You need to disclose this. In the meantime > the audit report states: > > > > "Telia makes use of external registration authorities for subscriber > registration activities, as disclosed in Telia's business practices. Our > procedures did not extend to the controls excercised by these external > registration authorities." > > > > So, we have two different audit scenarious here: > > > > a) as the audit report is issued to the CA known as Telia Company AB, > then the other PKI participants - Telia Finland Oyj and Cygate AB need to > be audited according to their roles. > > > > b) in case if Telia Finland Oyj is audited as the CA, then the other two > PKI participants - Telia Company AB and Cygate AB need to be audited > according to their roles. > > > > Again, this has nothing to do with ownership relationship. > > Mozilla has never required that all legal entities be disclosed or > receive separate WebTrust audits when the CA operations are under > common management and governance. Many of the WebTrust audit reports > implicitly cover multiple legal entities simply by indicating > operations in multiple countries. A few WebTrust audit reports that I > checked including DigiCert, Sectigo, Google, and GlobalSign, all > indicate operations in more than one country. As most countries > require that people who work in that country be employed by a legal > entity in that country, I fully expect that all these audit reports > cover multiple legal entities. > > I do not believe that what Telia is presenting is materially different > from what other CAs present. If Mozilla wants to have all the legal > entities involved listed in the audit report, that is something that > should be included the Mozilla policy; this would need to be carefully > considered, as it does not only impact multi-country CAs, but also CAs > that lease data center space, contract other companies to provide > physical security, or perform other actions covered under the audit. > > > Separation of CP and CPS provisions > > > > You explain that "There are no requirements to specifically separate CP > and CPS texts.", according to RFC content of these two documents should be > different. I’m ok with the combined document CP/CPS (but not content!) - I > can’t see which part of combined document should be considered CP. At least > section/page numbers could help. > > Mozilla does not require that a CP exist at all. It is fully > acceptable to only have a CPS - that is a single document that lays > out the practices of the CA. > > > Audit scope > > > > Sorry, I cant accept your arguments, see The audit report above. > > > > ******************** > > > > > > To sum-up, obviousely we are in a loop, I don’t see any reason to change > my opinion (see 2021-12-29 email). > > > > Thanks, > > M.D. > > From my perspective, the issues you raise are not issues under current > Mozilla policy. > > Thanks, > Peter > (my personal view and does not necessarily reflect the views of anyone > else) > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrz3qYYALSkYe4KgZ6Hh6LvP0yE8qiXApHQdn1RFYHdWoQ%40mail.gmail.com.
