[Note to everyone else who might be confused: Ian is responding to a message that I sent him via email and forgot to also send to the newsgroup. However he's quoted pretty much all of my message, so I'm not going to bother reposting it. To provide some context, I was replying to Ian's comment in n.p.m,crypto about my change in policy being "disappointing to those who are not going the audit route." To provide additional context, immediately before what Ian's quoting below I wrote "The draft policy as written does not rule out having CAs go the non-WebTrust route, it simply requires that WebTrust (or 'WebTrust-equivalent') criteria be used, and puts a burden on the CA to show why we should believe their claim of conformance to the criteria." --Frank]
In other words, this is a not a wholesale but rather a strategic retreat from my former position: I am accepting the claim that the WebTrust criteria (or something like them) are the ones that should be used, but I am seeking to preserve the freedom to have CAs show conformance in ways that don't necessarily require them to pay KPMG, E&Y, etc., large amounts of money to get an official WebTrust seal.
It's certainly a clarification of some importance. What this does is to place the criteria as the central point, as opposed to the CPA, etc. That's a welcome clarification, and below I'd recommend more along those lines.
Presumably by "below" you mean your suggestion to reword as "criteria acceptable to the MF".
By accepting the claim that some audit process of the criteria (derived from WebTrust) is required, you are in the converse ruling unaudited CAs as not being acceptable. Opening the door to low-cost and efficient audits may be an acceptable alternate. But, this will only be the case if such audits happen, hence my concerns below.
Realistically I think we have to require some sort of external scrutiny for CAs, and hence "[rule] unaudited CAs as not being acceptable", at least for the foreseeable future. Otherwise without an audit requirement basically anyone can be a CA, and then we're on the path to self-signed certs as the norm. Now I know that you personally would love us to take a stroll together down that path :-), but as I noted in the metapolicy I think that's a nonstarter given where we're at today.
That is also in part why I used the phrase "third-party attestation" -- stolen from the Microsoft CA requirements -- as opposed to "audit", to avoid the implication that conformance has to be judged by a CPA or equivalent professional. It's just that if the "attestation" is done by people who are not WebTrust auditors then I think people will require -- and I think rightly -- more information in order for them to have confidence in the CA and the third-party review. (For example, we see this in the discussion about T-Systems.)
I see what you are saying. I think the word we are looking at here is audit, which is the process. Auditing is not something that is only done by CPAs or equivalent professionals, in fact, audits are done all the time in organisations by ordinary people.
Actually, after further thought I think my earlier comment was based on my own confusion. I don't think it's an issue of "audit" implying "CPA", rather IMO we can and perhaps should make a distinction between the process and the result, similar to the distinction people make between "evaluation" and "validation" (e.g., for Common Criteria conformance) and between "certification" and "accreditation" (e.g., as used in U.S. government security audits for deployed IT systems).
As you say, "audit" is the process, to which I would reply that "attestation" is the result, i.e., a formal statement by the people doing the auditing. I suspect that this was why Microsoft phrased their requirement the way they did.
This worries me. The third parties are now being asked to attest to something that is expected to be of the same standard as WebTrust.
This can be examined from the pov of when something goes wrong and there is money involved. (It is not so useful to examine the alternates...) Suppose something goes wrong and some dispute enters court. (I'm not suggesting this is likely, it just makes it easier to bring out the results.)
Now, Ian, remember I said "no legal discussions please" :-) Seriously, I do understand your point about focusing on "criteria as acceptable to MF" and calling out WebTrust as an example of that, vs. using WebTrust directly as the reference criteria. I'll take your comments and suggested revisions into account when doing the next draft.
(See previous post, obviously OMB thought little enough of WebTrust to ignore it.)
A bit off-topic, but I don't think this was necessarily an issue of OMB's opinion of WebTrust, I think it was more the classic case of the U.S. government creating its own standards because it's always done that. Also, in the context in which the OMB is issuing directives there are also other Federal laws and regulations which have to be taken into account, most notably FISMA ("SOX for the Feds", as we in the trade call it), so a commercially-oriented audit process wouldn't IMO be sufficient in any case.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
