Re: Question about BR audit
I think this is okey. m...@chemalogo.com +34 666 429 224 (Spain) gplus.to/chemalogo @chemalogo https://twitter.com/chemalogo/ www.linkedin.com/in/chemalogo Skype: chemalogo On Tue, Mar 11, 2014 at 12:19 AM, Kathleen Wilson kwil...@mozilla.comwrote: On 3/6/14, 9:58 AM, Kathleen Wilson wrote: On 3/3/14, 10:33 AM, Kathleen Wilson wrote: All, I received the following question from an auditor, and would appreciate hearing your opinions on it. This question is in regards to a new CA inclusion request. New CAs are frequently not members of the CA/Browser Forum, so they tend to find out about the Baseline Requirements audit when they apply for inclusion. For those CA who have done the compliance with the Baseline Requirements for the first time, will your root certificate program accept a point-in-time readiness assessment audit against the WebTrust Baseline Requirements Program? For reference, our documented expectations are here: https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria Thanks, Kathleen Based on the discussion so far, it appears that folks are OK with new CAs getting a point-in-time readiness assessment audit the first time they get a Baseline Requirements audit, as long as the CA has also been getting the other audits (WebTrust CA or ETSI TS 102 042) done annually. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_ Frames_for_included_CAs_to_comply_with_the_new_policy Currently says: Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. Mozilla's CA Certificate Policy version 2.1 and later requires a BR audit, but doesn't say anything about a point-in-time readiness audit. How about if I update the wiki page as follows? Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. Thanks, Kathleen I made the proposed change to the wiki page. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_ Frames_for_included_CAs_to_comply_with_the_new_policy Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. Please let me know if you see any problems with this change. Thanks, Kathleen PS: I also updated a few of the links in that page. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Question about BR audit
On 3/6/14, 9:58 AM, Kathleen Wilson wrote: On 3/3/14, 10:33 AM, Kathleen Wilson wrote: All, I received the following question from an auditor, and would appreciate hearing your opinions on it. This question is in regards to a new CA inclusion request. New CAs are frequently not members of the CA/Browser Forum, so they tend to find out about the Baseline Requirements audit when they apply for inclusion. For those CA who have done the compliance with the Baseline Requirements for the first time, will your root certificate program accept a point-in-time readiness assessment audit against the WebTrust Baseline Requirements Program? For reference, our documented expectations are here: https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria Thanks, Kathleen Based on the discussion so far, it appears that folks are OK with new CAs getting a point-in-time readiness assessment audit the first time they get a Baseline Requirements audit, as long as the CA has also been getting the other audits (WebTrust CA or ETSI TS 102 042) done annually. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy Currently says: Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. Mozilla's CA Certificate Policy version 2.1 and later requires a BR audit, but doesn't say anything about a point-in-time readiness audit. How about if I update the wiki page as follows? Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. Thanks, Kathleen I made the proposed change to the wiki page. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. Please let me know if you see any problems with this change. Thanks, Kathleen PS: I also updated a few of the links in that page. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Question about BR audit
On 3/3/14, 10:33 AM, Kathleen Wilson wrote: All, I received the following question from an auditor, and would appreciate hearing your opinions on it. This question is in regards to a new CA inclusion request. New CAs are frequently not members of the CA/Browser Forum, so they tend to find out about the Baseline Requirements audit when they apply for inclusion. For those CA who have done the compliance with the Baseline Requirements for the first time, will your root certificate program accept a point-in-time readiness assessment audit against the WebTrust Baseline Requirements Program? For reference, our documented expectations are here: https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria Thanks, Kathleen Based on the discussion so far, it appears that folks are OK with new CAs getting a point-in-time readiness assessment audit the first time they get a Baseline Requirements audit, as long as the CA has also been getting the other audits (WebTrust CA or ETSI TS 102 042) done annually. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy Currently says: Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. Mozilla's CA Certificate Policy version 2.1 and later requires a BR audit, but doesn't say anything about a point-in-time readiness audit. How about if I update the wiki page as follows? Any Certificate Authority being considered for root inclusion after February 15, 2013 must comply with Version 2.1 of Mozilla's CA Certificate Policy. This includes having a Baseline Requirements audit performed if the websites trust bit is to be enabled. Note that the CA's first Baseline Requirements audit may be a Point in Time audit. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Question about BR audit
On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson kwil...@mozilla.com wrote: New CAs are frequently not members of the CA/Browser Forum, I guess that's reasonable. so they tend to find out about the Baseline Requirements audit when they apply for inclusion. The idea that an organization wants to run a globally-trusted CA but has not found out about the Baseline Requirements before applying seems pretty scary. -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Question about BR audit
On 3/4/14, 8:00 AM, Rich Smith wrote: On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson wrote: For those CA who have done the compliance with the Baseline Requirements for the first time, will your root certificate program accept a point-in-time readiness assessment audit against the WebTrust Baseline Requirements Program? Lacking full information, I assume this means that as a new CA, they have no (or very little) issued track record of BR compliant certificates upon which to base a full compliance audit, so are asking if a point in time readiness assessment of BR compliance is sufficient. If my assumption of the situation is correct, it seems a reasonable request. Yes, your assumption is correct. Accepting a point-in-time BR audit from a new CA means that the previously issued certs that are still valid may be non-compliant with the BRs in worse ways than not having an OCSP URI in the AIA. However, the same could be true of the CAs currently in Mozilla's program who issued long-lived certs before the BRs went into effect. Of course, a full WebTrust CA or ETSI TS 102 042 audit is required before a CA's inclusion request may be considered (when they are asking for the websites trust bit to be enabled). Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Question about BR audit
All, I received the following question from an auditor, and would appreciate hearing your opinions on it. This question is in regards to a new CA inclusion request. New CAs are frequently not members of the CA/Browser Forum, so they tend to find out about the Baseline Requirements audit when they apply for inclusion. For those CA who have done the compliance with the Baseline Requirements for the first time, will your root certificate program accept a point-in-time readiness assessment audit against the WebTrust Baseline Requirements Program? For reference, our documented expectations are here: https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy