Eddy Nigg wrote: > The principal guiding us should be the audit requirements mentioned > above and there shall be no CA included which hasn't undergone such an > audit, being it as part of a root or in its own rights. A root shall not > be included in case sub-ordinate CAs exist which haven't seen the face > of an auditor at least once (not speaking about yearly re-auditing yet).
This issue is going to come up with WISeKey (scheduled for public comment next week), but I may as well speak of it in general terms right now. It is not clear to me that it's realistic for us to require actual audits for each and every third-party subordinate CA. Even beyond the WISeKey model (the "CA in a box" appliance device), I suspect that a number of other CAs serving the enterprise market have enough subordinates that it would be unrealistic to require actual audits of all subordinates in these cases as well. (Which is not to say that there's no auditing at all -- for example, the (root) CA could have some sort of random or spot auditing scheme.) > Since the Mozilla CA policy clearly calls for auditing of the CA, I > think that Mozilla will have to share the burden in cases the CAs in > question haven't been part of such an audit and would like to apply in > their own right. Not sure how many there will be, but in such a case > it's simply a matter of implementing the policy. Well, it does matter how difficult it is to implement a policy, and I think we have to exercise some judgment here. At one end of the spectrum we have situations where we have a small number of subordinate CAs, each of which issues lots and lots of certificates. T-Systems is apparently like this, as are KISA and perhaps others. Here I think it is realistic for us to take a closer look at the subordinates. In other cases, like the "enterprise CA" case mentioned above, there are lots of subordinates, and each subordinate issues relatively few certificates. Here I think it is unrealistic to look at each and every CA; it's quite possible we won't even know the actual names of each and every CA. In these case I think we will instead have to look at the overall manner in which the (root) CA oversees and controls the subordinates. To echo what I wrote earlier, it's analogous to the case of CAs that out-source the RA function to others, especially in the enterprise environment. I doubt that, e.g., a WebTrust audit entails auditing each and every organization participating in RA activities; I presume what is done is instead to look at the overall controls in place for such arrangements. > I think path length should be 0 for such CAs. It's a requirement for the > issuing CA certificate of EV certificates and makes sense also here. Thanks. If you have time please feel free to edit the wiki page and add a note on this near the bottom (where subordinate are discussed). Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto