On 11/15/2008 06:29 PM, Ian G:
I agree it is an issue that we should try and clarify, if not nail down.
Sounds good!
One way to short-circuit this is to simply state that the root CA is responsible for any/all subroots.
This is the situation we had until recently, with CAs under their own control. Of course the CA is "responsible" for all its sub roots...
So this would imply that the root CA's policies and audit drill down through the subroots, and they apply. Then, it would be up to the root auditor to decide whether a subroot needed a separate audit or not.
Except that some CA policies many times don't even cover the aspects of the sub ordinate CAs. Such "root" CAs are simply audited as their CP/CPS defines. An auditor is not required to audit something not claimed in their policies. Auditors generally confirm the claims made in the CP/CPS, not those that aren't made.
One problem with this is that it might also not be realistic. Consider two CAs, one of which does "style A" and another does "style B". In the doco and audit for the root CA, there will be a need somehow to capture that distinction. The natural direction here will end up that the root's policies will tend to say "see the subroot's policies for more detail."
If that policy was part of the audit, that would already provide good indications.
So Mozilla's review of this will be looking at a blank spot. E.g., future subroots. I see this contrast all frequently. We accept the base situation, then the CA goes and issues another subroot. Suddenly a whole new class of activity has occurred, and there is no check done on this until the next audit, and none at all by Mozilla.
Right. It was suggested to require a yearly audit or by other frequency.
Either way we look at it, I feel that the more controls are put in place, the more we end up putting in "paper fixes" and the more we complicate things for a gain that we don't fully understand.
I don't perceive it as such at all. What do we not understand? There is a very competent team at work (Kathleen, Gerv, Frank) and a few of us here. I think the issues are fully understood.
Alternatively, we just set the responsibility, and pass it to the root CA.
That's what we had previously. Some easy-to-find flaws already have been detected (DigiNotar, Staat der Nederlanden). Those were just the ones we came across by chance, I don't even want to know about everything we don't know.
In this we could typically include the disclaimers of liability, and how we would deal with the disputes, e.g., over the activities of the CA's wilder subroots, and at an extreme level, any root revocation at Mozilla's discretion.
One of the problems is of course that no follow ups exist currently as you correctly stated above. So far nobody has ever dedicated time to review CAs not up for inclusion.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
