Re: Question about BR audit

2014-03-14 Thread Chema López 
I think this is okey.

m...@chemalogo.com
+34 666 429 224 (Spain)
gplus.to/chemalogo
@chemalogo 
www.linkedin.com/in/chemalogo
Skype: chemalogo


On Tue, Mar 11, 2014 at 12:19 AM, Kathleen Wilson wrote:

> On 3/6/14, 9:58 AM, Kathleen Wilson wrote:
>
>> On 3/3/14, 10:33 AM, Kathleen Wilson wrote:
>>
>>> All,
>>>
>>> I received the following question from an auditor, and would appreciate
>>> hearing your opinions on it. This question is in regards to a new CA
>>> inclusion request. New CAs are frequently not members of the CA/Browser
>>> Forum, so they tend to find out about the Baseline Requirements audit
>>> when they apply for inclusion.
>>>
>>>  For those CA who have done the compliance with the Baseline Requirements
 for the first time, will your root certificate program accept a
 point-in-time readiness assessment audit against the WebTrust Baseline
 Requirements Program?

>>>
>>>
>>> For reference, our documented expectations are here:
>>> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria
>>>
>>> Thanks,
>>> Kathleen
>>>
>>>
>>
>> Based on the discussion so far, it appears that folks are OK with new
>> CAs getting a point-in-time readiness assessment audit the first time
>> they get a Baseline Requirements audit, as long as the CA has also been
>> getting the other audits (WebTrust CA or ETSI TS 102 042) done annually.
>>
>> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_
>> Frames_for_included_CAs_to_comply_with_the_new_policy
>>
>>
>> Currently says:
>> "Any Certificate Authority being considered for root inclusion after
>> February 15, 2013 must comply with Version 2.1 of Mozilla's CA
>> Certificate Policy."
>>
>> Mozilla's CA Certificate Policy version 2.1 and later requires a BR
>> audit, but doesn't say anything about a point-in-time readiness audit.
>>
>> How about if I update the wiki page as follows?
>>
>> "Any Certificate Authority being considered for root inclusion after
>> February 15, 2013 must comply with Version 2.1 of Mozilla's CA
>> Certificate Policy. This includes having a Baseline Requirements audit
>> performed if the websites trust bit is to be enabled. Note that the CA's
>> first Baseline Requirements audit may be a Point in Time audit."
>>
>> Thanks,
>> Kathleen
>>
>>
>>
>
> I made the proposed change to the wiki page.
>
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_
> Frames_for_included_CAs_to_comply_with_the_new_policy
> "Any Certificate Authority being considered for root inclusion after
> February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA
> Certificate Policy. This includes having a Baseline Requirements audit
> performed if the websites trust bit is to be enabled. Note that the CA's
> first Baseline Requirements audit may be a Point in Time audit."
>
> Please let me know if you see any problems with this change.
>
> Thanks,
> Kathleen
>
> PS: I also updated a few of the links in that page.
>
>
>
>
>
>
>
>
>
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

2014-03-10 Thread Kathleen Wilson 

On 3/6/14, 9:58 AM, Kathleen Wilson wrote:

On 3/3/14, 10:33 AM, Kathleen Wilson wrote:

All,

I received the following question from an auditor, and would appreciate
hearing your opinions on it. This question is in regards to a new CA
inclusion request. New CAs are frequently not members of the CA/Browser
Forum, so they tend to find out about the Baseline Requirements audit
when they apply for inclusion.


For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?



For reference, our documented expectations are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria

Thanks,
Kathleen




Based on the discussion so far, it appears that folks are OK with new
CAs getting a point-in-time readiness assessment audit the first time
they get a Baseline Requirements audit, as long as the CA has also been
getting the other audits (WebTrust CA or ETSI TS 102 042) done annually.

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy


Currently says:
"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy."

Mozilla's CA Certificate Policy version 2.1 and later requires a BR
audit, but doesn't say anything about a point-in-time readiness audit.

How about if I update the wiki page as follows?

"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy. This includes having a Baseline Requirements audit
performed if the websites trust bit is to be enabled. Note that the CA's
first Baseline Requirements audit may be a Point in Time audit."

Thanks,
Kathleen





I made the proposed change to the wiki page.

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy
"Any Certificate Authority being considered for root inclusion after 
February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA 
Certificate Policy. This includes having a Baseline Requirements audit 
performed if the websites trust bit is to be enabled. Note that the CA's 
first Baseline Requirements audit may be a Point in Time audit."


Please let me know if you see any problems with this change.

Thanks,
Kathleen

PS: I also updated a few of the links in that page.









___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

2014-03-06 Thread Kathleen Wilson 

On 3/3/14, 10:33 AM, Kathleen Wilson wrote:

All,

I received the following question from an auditor, and would appreciate
hearing your opinions on it. This question is in regards to a new CA
inclusion request. New CAs are frequently not members of the CA/Browser
Forum, so they tend to find out about the Baseline Requirements audit
when they apply for inclusion.


For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?



For reference, our documented expectations are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria

Thanks,
Kathleen




Based on the discussion so far, it appears that folks are OK with new 
CAs getting a point-in-time readiness assessment audit the first time 
they get a Baseline Requirements audit, as long as the CA has also been 
getting the other audits (WebTrust CA or ETSI TS 102 042) done annually.


https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

Currently says:
"Any Certificate Authority being considered for root inclusion after 
February 15, 2013 must comply with Version 2.1 of Mozilla's CA 
Certificate Policy."


Mozilla's CA Certificate Policy version 2.1 and later requires a BR 
audit, but doesn't say anything about a point-in-time readiness audit.


How about if I update the wiki page as follows?

"Any Certificate Authority being considered for root inclusion after 
February 15, 2013 must comply with Version 2.1 of Mozilla's CA 
Certificate Policy. This includes having a Baseline Requirements audit 
performed if the websites trust bit is to be enabled. Note that the CA's 
first Baseline Requirements audit may be a Point in Time audit."


Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

2014-03-04 Thread Kathleen Wilson 

On 3/4/14, 8:00 AM, Rich Smith wrote:

On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson wrote:


For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?




Lacking full information, I assume this means that as a new CA, they have no
(or very little) issued track record of BR compliant certificates upon which
to base a full compliance audit, so are asking if a point in time readiness
assessment of BR compliance is sufficient.  If my assumption of the
situation is correct, it seems a reasonable request.



Yes, your assumption is correct.

Accepting a point-in-time BR audit from a new CA means that the 
previously issued certs that are still valid may be non-compliant with 
the BRs in worse ways than not having an OCSP URI in the AIA. However, 
the same could be true of the CAs currently in Mozilla's program who 
issued long-lived certs before the BRs went into effect.


Of course, a full WebTrust CA or ETSI TS 102 042 audit is required 
before a CA's inclusion request may be considered (when they are asking 
for the websites trust bit to be enabled).


Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

2014-03-04 Thread Rich Smith 
On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson wrote:

> For those CA who have done the compliance with the Baseline Requirements 
> for the first time, will your root certificate program accept a 
> point-in-time readiness assessment audit against the WebTrust Baseline 
> Requirements Program?

 

Lacking full information, I assume this means that as a new CA, they have no
(or very little) issued track record of BR compliant certificates upon which
to base a full compliance audit, so are asking if a point in time readiness
assessment of BR compliance is sufficient.  If my assumption of the
situation is correct, it seems a reasonable request.

 

-- 

Regards,

Rich Smith

Validation Manager

Comodo

  http://www.comodo.com

 

 



smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Question about BR audit

2014-03-04 Thread Henri Sivonen 
On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson  wrote:
> New CAs are frequently not members of the CA/Browser Forum,

I guess that's reasonable.

> so they tend to find out about the Baseline Requirements audit when
> they apply for inclusion.

The idea that an organization wants to run a globally-trusted CA but
has not found out about the Baseline Requirements before applying
seems pretty scary.

-- 
Henri Sivonen
hsivo...@hsivonen.fi
https://hsivonen.fi/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Question about BR audit

2014-03-03 Thread Kathleen Wilson 

All,

I received the following question from an auditor, and would appreciate 
hearing your opinions on it. This question is in regards to a new CA 
inclusion request. New CAs are frequently not members of the CA/Browser 
Forum, so they tend to find out about the Baseline Requirements audit 
when they apply for inclusion.



For those CA who have done the compliance with the Baseline Requirements
for the first time, will your root certificate program accept a
point-in-time readiness assessment audit against the WebTrust Baseline
Requirements Program?



For reference, our documented expectations are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria

Thanks,
Kathleen

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy