Telia CA is legally operated by "Telia Finland Oyj" so that there is common management within several Telia units. For Telia CA the partially common management consists of three fully Telia owned affiliated companies: "Telia Company AB", "Telia Finland Oyj" and "Cygate AB". In this case like Peter said it is normal way to create only one audit report that covers multiple legal entities simply by indicating operations in multiple countries. This is what we have provided.
I think that Moudrick is using term "PKI participant" like it would mean "Delegated Third Party". But I think that is not the right term for Telia CA. The best definitions I found for "third party" and "affiliate" are from BR and it is clear that Telia CA case is the latter (not delegating functions): Delegated Third Party: A natural person or Legal Entity that is not the CA but is authorized by the CA, and whose activities are not within the scope of the appropriate CA audits, to assist in the Certificate Management Process by performing or fulfilling one or more of the CA requirements found herein. Affiliate: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity. All three listed Telia affiliates were included into Telia CA audit scope. There are no non-audited Telia CA parts for TLS. In our Server CP/CPS 1.3.2 we say that "All RA functions in this CPS are performed internally by Telia. Telia will not delegate domain validation to be performed by a third-party". On Telia client certificate process we define in our Client CP/CPS how Enterprise RA may be used and that Telia Class 3 client certificates (which are outside of Mozilla context) are using external RA. I think that Enterprise RA is a normal concept on client certificates. I can't see any problems in this either I hope that Mozilla now concludes if there is something that is against Mozilla policies or not. I haven't yet found any relevant issues on this discussion. I'm ready to improve our CPS or suggest new audit report formulation next time if I get instructions how. Our new root should be accepted soon so that we can replace the old one that has technical issues (read audit report). keskiviikko 5. tammikuuta 2022 klo 14.28.53 UTC+2 [email protected] kirjoitti: > Thanks, Peter > > "*Mozilla has never required that all legal entities be disclosed or* > *receive separate WebTrust audits when the CA operations are under common > management and governance.*" > > I'm afraid this is a different case - BTW so far nobody requested separate > audits. > > The applicant - Telia Finland Oyj is a legal entity (with its own > management) and the fact that its owned by another company (Telia Company > AB) doesn't create any privileges for the latter, meaning that if the owner > is a PKI participant, its roles, obligations need to be clearly disclosed. > According to the audit report I quoted earlier, Telia Company AB is the CA. > > "I* do not believe that what Telia is presenting is materially different > from what other CAs present*." > > The CA's you are refering to are legal entities doing CA business, this is > not the case here - Telia Company AB and its affiliates are telcos/ISPs and > from business point of view their income from the CA operations relative > to their business is near 0%. So from the root program point of view this > CA is unique. > > " > *Mozilla does not require that a CP exist at all. It is fullyacceptable > to only have a CPS - that is a single document that lays out the practices > of the CA*." > > I'm sure you know better what Mozilla require, but I'm relying on the > publicly available policy, see section 3.3 here > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#2-certificate-authorities > > Thanks, > M.D. > > > > On Wed, Jan 5, 2022, 11:49 Peter Bowen <[email protected]> wrote: > >> Moudrick, >> >> Thanks for clearly breaking down your concerns. Based on this, and >> the other messages in this thread, I don't think that some of these >> are issues under the Mozilla policy. Please see my comments below. >> >> On Tue, Jan 4, 2022 at 11:00 PM Moudrick M. Dadashov >> <[email protected]> wrote: >> > >> > Disclosing shared CA resources >> > >> > I’m looking for the CA's human/material resources that are shared with >> third parties (irrelevant to ownership), in your response I see only the >> names of three companies. >> > >> > >> > The audit report >> > >> > You explained that "Audit covered all relevant company parts under >> "Telia Company AB" including "Telia Finland Oyj". I still can't understand >> why this fact is hard to understand.", the problem here is that we need a >> single legal entity as the CA cooperates with other PKI participants - >> these roles must be disclosed clearly (no matter who owns what). >> > >> > If Telia Finland Oyj is the CA, then all others, including Telia >> Company AB, should be PKI participants. You need to disclose this. In the >> meantime the audit report states: >> > >> > "Telia makes use of external registration authorities for subscriber >> registration activities, as disclosed in Telia's business practices. Our >> procedures did not extend to the controls excercised by these external >> registration authorities." >> > >> > So, we have two different audit scenarious here: >> > >> > a) as the audit report is issued to the CA known as Telia Company AB, >> then the other PKI participants - Telia Finland Oyj and Cygate AB need to >> be audited according to their roles. >> > >> > b) in case if Telia Finland Oyj is audited as the CA, then the other >> two PKI participants - Telia Company AB and Cygate AB need to be audited >> according to their roles. >> > >> > Again, this has nothing to do with ownership relationship. >> >> Mozilla has never required that all legal entities be disclosed or >> receive separate WebTrust audits when the CA operations are under >> common management and governance. Many of the WebTrust audit reports >> implicitly cover multiple legal entities simply by indicating >> operations in multiple countries. A few WebTrust audit reports that I >> checked including DigiCert, Sectigo, Google, and GlobalSign, all >> indicate operations in more than one country. As most countries >> require that people who work in that country be employed by a legal >> entity in that country, I fully expect that all these audit reports >> cover multiple legal entities. >> >> I do not believe that what Telia is presenting is materially different >> from what other CAs present. If Mozilla wants to have all the legal >> entities involved listed in the audit report, that is something that >> should be included the Mozilla policy; this would need to be carefully >> considered, as it does not only impact multi-country CAs, but also CAs >> that lease data center space, contract other companies to provide >> physical security, or perform other actions covered under the audit. >> >> > Separation of CP and CPS provisions >> > >> > You explain that "There are no requirements to specifically separate CP >> and CPS texts.", according to RFC content of these two documents should be >> different. I’m ok with the combined document CP/CPS (but not content!) - I >> can’t see which part of combined document should be considered CP. At least >> section/page numbers could help. >> >> Mozilla does not require that a CP exist at all. It is fully >> acceptable to only have a CPS - that is a single document that lays >> out the practices of the CA. >> >> > Audit scope >> > >> > Sorry, I cant accept your arguments, see The audit report above. >> > >> > ******************** >> > >> > >> > To sum-up, obviousely we are in a loop, I don’t see any reason to >> change my opinion (see 2021-12-29 email). >> > >> > Thanks, >> > M.D. >> >> From my perspective, the issues you raise are not issues under current >> Mozilla policy. >> >> Thanks, >> Peter >> (my personal view and does not necessarily reflect the views of anyone >> else) >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cbf442ed-6120-484a-a7aa-9ae5b012073fn%40mozilla.org.
