Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

2020-11-03 Thread Ben Wilson via dev-security-policy 
Historically, Mozilla Policy required that CAs "provide attestation of
their conformance to the stated verification requirements and other
operational criteria by a competent independent party or parties with
access to details of the CA's internal operations."
https://wiki.mozilla.org/CA:CertificatePolicyV1.0  "Competency" was "for
whom there is sufficient public information available to determine that the
party is competent to judge the CA's conformance to the stated criteria. In
the latter case the 'public information' referred to should include
information regarding the party's:

   - knowledge of CA-related technical issues such as public key
   cryptography and related standards;
   - experience in performing security-related audits, evaluations, or risk
   analyses; *and*
   - honesty and objectivity."

Today, section 3.2 of the MRSP

states, "In normal circumstances, Mozilla requires that audits MUST be
performed by a Qualified Auditor, as defined in the Baseline Requirements
section 8.2," but under section 2.3
,
"Mozilla reserves the right to accept audits by auditors who do not meet
the qualifications given in section 8.2 of the Baseline Requirements, or
refuse audits from auditors who do."

Section 8.2 of the Baseline Requirements states an auditor must have:
1. Independence from the subject of the audit;
2. The ability to conduct an audit that addresses the criteria specified in
an Eligible Audit Scheme (see Section 8.1);
3. Employs individuals who have proficiency in examining Public Key
Infrastructure technology, information security tools and techniques,
information technology and security auditing, and the third-party
attestation function;
4. (For audits conducted in accordance with any one of the ETSI standards)
accredited in accordance with ISO 17065 applying the requirements specified
in ETSI EN 319 403;
5. (For audits conducted in accordance with the WebTrust standard) licensed
by WebTrust;
6. Bound by law, government regulation, or professional code of ethics; and
7. Except in the case of an Internal Government Auditing Agency, maintains
Professional Liability/Errors & Omissions insurance with policy limits of
at least one million US dollars in coverage

It is proposed in Issue #192
 that information about
individual auditor's qualifications be provided--identity, competence,
experience and independence. (For those interested as to this independence
requirement, Mozilla Policy v.1.0 required either disclosure of the
auditor's compensation or the establishment that the auditor "is bound by
law, government regulation, and/or a professional code of ethics to render
an honest and objective judgement regarding the CA.")

While subsection 3 of BR 8.2 requires "individuals who have proficiency in
examining Public Key Infrastructure technology, information security tools
and techniques, information technology and security auditing, and the
third-party attestation function," that fact needs evidence in order to be
established. The proposed resolution of this Issue #192 intends to
accomplish that.

This proposal to require disclosure of individual auditor qualifications is
very similar to the approach adopted by the U.S. Federal PKI

(see Appendices B-1 and C). E.g., "Did each Audit Opinion Letter identify
the auditor and the individuals performing the audit?"  In practice, the
information about auditor qualifications could be in the form of a separate
document, such as a curriculum vitae.

Some initial, draft language to address this issue is located here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/d0da7cb2b6db38e66c3a72e5c1db0e78e91d8df6

A new subsection 3. would be added to the list of audit requirements that
would require "[the] name(s) and qualifications of individuals performing
the audit, as required by section 3.2" and a new paragrpah would be added
to section 3.2 that would say, "A Qualified Auditor MUST have relevant IT
Security experience, or have audited a number of CAs, and be independent
and not conflicted. Individuals have competence, partnerships and
corporations do not. Audit documentation of individual auditor
qualifications MUST be provided to Mozilla that is sufficient for Mozilla
to determine the competence, experience, and independence of the Qualified
Auditor. Mozilla will review each individual auditor’s credentials and
ensure that any Qualified Auditor has the collective set of skills required
by section 8.2 of the Baseline Requirements."

Please provide your comments and suggestions in response to this email.

Thanks,

Ben
___
dev-security-policy

Re: NAVER: Public Discussion of Root Inclusion Request

2020-11-03 Thread Ben Wilson via dev-security-policy 
The 3-week public discussion was to close on Monday, but I'd like Naver to
provide any further final comments and give anyone else an opportunity to
comment through this Thursday, and then I will proceed with Steps 6-10
(summarize matters, note any remaining items, and make a last call for
objections).

On Fri, Oct 23, 2020 at 10:04 AM Sooyoung Eo via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> 2020년 10월 10일 토요일 오전 7시 31분 12초 UTC+9에 George님이 작성한 내용:
> > Minor but it seems like all certificates with a stateOrProvinceName
> field are misissued. The ST field should probably be the "Gyeonggi-do" as
> the "Seongnam-si" entered is a city.
> >
> >
> >
> > ‐‐‐ Original Message ‐‐‐
> > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
> >
> > > Dear All,
> > >
> > > This is to announce the beginning of the public discussion phase of
> the
> > > Mozilla root CA inclusion process,
> > > https://wiki.mozilla.org/CA/Application_Process#Process_Overview,
> (Steps 4
> > > through 9). Mozilla is considering approval of NAVER Business Platform
> > > Corp.’s request to include the NAVER Global Root Certification
> Authority as
> > > a trust anchor with the websites trust bit enabled, as documented in
> the
> > > following Bugzilla case:
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby
> initiate a
> > > 3-week comment period, after which if no concerns are raised, we will
> close
> > > the discussion and the request may proceed to the approval phase (Step
> 10).
> > >
> > > A Summary of Information Gathered and Verified appears here in the
> CCADB:
> > >
> > >
> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=0261
> > >
> > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 to
> > > 8/18/2037
> > >
> > > SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265
> > >
> > > https://crt.sh/?id=1321953839
> > >
> > > Root Certificate Download:
> > >
> > >
> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST_file_nm=1c3763b33dbf457d8672371567fd1a12.crt_real_file_nm=naverrca1.crt
> > >
> > > CP/CPS:
> > >
> > > Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29)
>
> > > through 42 in Bugzilla contain discussion concerning the CPS and
> revisions
> > > thereto.
> > >
> > > Current CPS is version 1.4.3:
> > >
> > >
> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf_real_file_nm=NBP
> Certification Practice Statement v1.4.3.pdf
> > >
> > > Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do
> > >
> > > BR Self Assessment (Excel file) is located here:
> > >
> > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955
> > >
> > > Audits: Annual audits are performed by Deloitte according to the
> > > WebTrust Standard and WebTrust Baseline Requirements audit criteria.
> See
> > > webtrust.org. The last complete audit period for NAVER was from 1
> December
> > > 2018 to 30 November 2019 and no issues were found. However, the audit
> > > report was dated 28 April 2020, which was more than three months
> following
> > > the end of the audit period. The explanation for the delay in
> obtaining the
> > > audit report was as follows, “NBP had received a notification mail on
> > > updating the audit information from CCADB support in March since the
> Root
> > > certificate is only included into Microsoft Root Program. According to
> > > instructions on the email, I explained that NBP would submit the audit
> > > update information in April to Microsoft.” The current audit period
> ends
> > > 30 November 2020.
> > >
> > > *Mis-Issuances *
> > >
> > > According to crt.sh and censys.io, the issuing CA under this root
> > > (NAVER Secure Certification Authority 1) has issued approximately 80
> > > certificates. I ran the following query for the issuing CA to identify
> any
> > > mis-issuances:
> > >
> https://crt.sh/?caid=126361=cablint,zlint,x509lint=2017-08-18,
>
> > > and during the course of our review, we identified six test
> certificates
> > > with errors. (Such certificates have either been revoked or have
> expired).
> > > See:
> > >
> > > https://crt.sh/?id=2132664529=cablint,zlint,x509lint
> > >
> > > https://crt.sh/?id=2102184572=cablint,zlint,x509lint
> > >
> > > https://crt.sh/?id=1478365347=cablint,zlint,x509lint
> > >
> > > https://crt.sh/?id=2149282089=cablint,zlint,x509lint
> > >
> > > https://crt.sh/?id=2149282369=cablint,zlint,x509lint
> > >
> > > https://crt.sh/?id=2282123486=cablint,zlint,x509lint
> > >
> > > The explanation provided (
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was
> “Regarding
> > > CA/B Forum and X.509 lint tests NBP figured out two(2) certificates
> which
> > > were not complied with BRs right after issuing them. The domains on
> SANs of
> > > the certificates were owned and controlled by

Re: Audit Reminders for Intermediate Certs

2020-11-03 Thread Kathleen Wilson via dev-security-policy 

 Forwarded Message 
Subject: Summary of November 2020 Outdated Audit Statements for 
Intermediate Certs

Date: Tue, 3 Nov 2020 15:00:07 + (GMT)


CA Owner: AC Camerfirma, S.A.
   - Certificate Name: MULTICERT SSL Certification Authority 001
SHA-256 Fingerprint: 
06A57D1CD5879FBA2135610DD8D725CC268D2A6DE8A463D424C4B9DA89848696

Standard Audit Period End Date (mm/dd/): 07/18/2019
BR Audit Period End Date (mm/dd/): 07/18/2019

   - Certificate Name: DigitalSign Primary CA
SHA-256 Fingerprint: 
8101C3BAF9D0EDD71180D1F37D6D75B77B0E8CFB593D342C3A31E467985D4A74

Standard Audit Period End Date (mm/dd/): 07/22/2019
BR Audit Period End Date (mm/dd/): 07/22/2019



CA Owner: QuoVadis
   - Certificate Name: DigitalSign Qualified CA - G4
SHA-256 Fingerprint: 
41678B8897E635DEA03B6E48565E267BA5AAC3B8F4DC4B74B7A0A9748CFDD35E

Standard Audit Period End Date (mm/dd/): 07/22/2019





___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy