Thanks, Ryan Is RA a DTP? According to BRs, RA is a PKI participant (1.3.2) which may delegate some of its functions to third parties:With the exception of Section 3.2.2.4 (Validation of Domain Authorization or Control) and Section 3.2.2.5 (Authentication for an IP Address), the CA MAY delegate the performance of all, or any part, of Section 3.2 (Initial identity validation) requirements to a Delegated Third Party, provided that the process as a whole fulfills all of the requirements of Section 3.2.Before the CA authorizes a DTP to perform a delegated function, the CA SHALL contractually require the DTP to:1. Meet the qualification requirements of Section 5.3.1 (Qualifications, experience, and clearance requirements) , when applicable to the delegated function;2. Retain documentation in accordance with Section 5.5.2 (Retention period for archive);3. Abide by the other provisions of these Requirements that are applicable to the delegated function; and4. Comply witha. the CA’s Certificate Policy/Certification Practice Statement orb. the Delegated Third Party’s practice statement that the CA has verified complies with these Requirements.BTW, section 5 is MANAGEMENT, OPERATIONAL, AND PHYSICAL CONTROLS, section 5.3 defines Personnel controls where 5.3.1 require: "Prior to the engagement of any person in the Certificate Management Process, whether as an employee, agent, or an independent contractor of the CA, the CA SHALL verify the identity and trustworthiness of such person.".As Pekka explained DTP , "is not the right term for Telia CA. The best definitions I found for "third party" and "affiliate" are from BR and it is clear that Telia CA case is the latter (not delegating functions)". I agree with Pekka, all we need is these third parties and affiliates be clearly disclosed with their PKI participant (BR section 1.3.) and/or personnel roles, if any.Thanks,M.D.Sent from my Galaxy -------- Original message --------From: Ryan Sleevi <[email protected]> Date: 1/6/22 18:01 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]> Cc: Ryan Sleevi <[email protected]>, [email protected], "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 On Thu, Jan 6, 2022 at 1:18 AM Moudrick M. Dadashov <[email protected]> wrote:You asked if my comment was about Delegated Third Parties - sorry, no, I had in mind the CA [1] and its RAs [] as defined in BRs.I'm not sure I understand this. An RA is a DTP. Audit scope"If my above understanding is correct, then I’m not fully sure your argument here is correct. It’s certainly true that the RAs, which are DTPs, need to be audited, but that doesn’t necessarily propagate to the scope of the parent."My comment was about Pekka's argument, which is quite typical to Telia Company AB and its affiliates, that their corporate ownership relationship is directly apllicable to the CA operations, I believe this is fundamentally wrong.I'm sorry, I'm still not sure I think I understand the substance of your argument here, and it does seem like you're ascribing a particular malice to Telia that appears to be unsubstantiated, at least at present. The CA has a single audit report and I’m OK with that, but, as I quoted earlier, the audit report says:"Telia makes use of external registration authorities for subscriber registration activities, as disclosed in Telia's business practices. Our procedures did not extend to the controls excercised by these external registration authorities."Correct, this part is difficult to square with Pekka's remarks that they were all part of the same audit scope, as the report does not appear to substantiate this. That is, the WebTrust Illustrative Guidance provides examples on how to disclose if no external RAs are involved, and that this seems to highlight a disconnect that bears some clarification, at the minimum.
-- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGGmQ%2BAPpWEgPum%3DQ1TCM%3DYFq%2BBhS9u_KxmyPJLCyXzbA%40mail.gmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61d7ebee.1c69fb81.133be.268aSMTPIN_ADDED_MISSING%40mx.google.com.
