Re: Audits for new subCAs

On Fri, Apr 6, 2018 at 3:09 PM, Peter Bowen wrote: > > A CP is an optional document and may be maintained by an entity other > than the CA. For example there may be a common policy that applies to > all CAs that have a path to a certain anchor. So including the CA > list in

Re: Audits for new subCAs

On Mon, Apr 2, 2018 at 5:15 PM, Wayne Thayer via dev-security-policy wrote: > On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> >> While Entrust happens to do this, as a relying party, I

Re: Audits for new subCAs

On Thu, Apr 5, 2018 at 4:08 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 04/04/2018 16:01, Ryan Sleevi wrote: > >> On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy < >> >> dev-security-policy@lists.mozilla.org> wrote: >> >> On

Re: Audits for new subCAs

On 04/04/2018 16:01, Ryan Sleevi wrote: On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 03/04/2018 14:57, Ryan Sleevi wrote: On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy <

Re: Audits for new subCAs

On Tue, Apr 3, 2018 at 11:42 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 03/04/2018 14:57, Ryan Sleevi wrote: > >> On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> On

Re: Audits for new subCAs

On 03/04/2018 14:57, Ryan Sleevi wrote: On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: On 03/04/2018 02:15, Wayne Thayer wrote: On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy <

Re: Audits for new subCAs

On Mon, Apr 2, 2018 at 9:03 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 03/04/2018 02:15, Wayne Thayer wrote: > >> On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy < >> dev-security-policy@lists.mozilla.org> wrote: >> >> >>> While

Re: Audits for new subCAs

On 03/04/2018 02:15, Wayne Thayer wrote: On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: While Entrust happens to do this, as a relying party, I dislike frequent updates to CP/CPS documents just for such formal changes. This

Re: Audits for new subCAs

On Mon, Apr 2, 2018 at 4:36 PM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > While Entrust happens to do this, as a relying party, I dislike frequent > updates to CP/CPS documents just for such formal changes. > > This creates a huge loophole. The CP/CPS

Re: Audits for new subCAs

On 29/03/2018 20:46, Wayne Thayer wrote: Thanks everyone for your input on this topic. I'm hearing consensus that we should not require a newly issued subordinate CA certificate to appear on an audit statement prior to being used to sign end-entity certificates. This is something that could be

Re: Audits for new subCAs

On 02/04/2018 17:12, Julian Inza wrote: El sábado, 31 de marzo de 2018, 3:01:29 (UTC+2), Wayne Thayer escribió: On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote: I think, for new CAs, the KGC report and the stated CP/CPS, combined with ensuring that the next audit that

Re: Audits for new subCAs

El sábado, 31 de marzo de 2018, 3:01:29 (UTC+2), Wayne Thayer escribió: > On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote: > > > > > I think, for new CAs, the KGC report and the stated CP/CPS, combined with > > ensuring that the next audit that covers the period of time

Re: Audits for new subCAs

On Thu, Mar 29, 2018 at 12:55 PM, Ryan Sleevi wrote: > > I think, for new CAs, the KGC report and the stated CP/CPS, combined with > ensuring that the next audit that covers the period of time stated on the > KGC report includes that certificate, seems like a reasonable balance.

Re: Audits for new subCAs

Tim, On Fri, Mar 30, 2018 at 7:00 AM, crawfordtimj--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote: > > On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < > >

Re: Audits for new subCAs

On Thursday, March 29, 2018 at 2:56:17 PM UTC-5, Ryan Sleevi wrote: > On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > I think, for new CAs, the KGC report and the stated CP/CPS, combined with > ensuring that the next

Re: Audits for new subCAs

On Thu, Mar 29, 2018 at 2:46 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Thanks everyone for your input on this topic. I'm hearing consensus that we > should not require a newly issued subordinate CA certificate to appear on > an audit statement

RE: Audits for new subCAs

-policy Sent: Mittwoch, 28. März 2018 23:38 To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Audits for new subCAs Entrust does the following: - Each subCA certificate is created through a audited ceremony. The auditor creates a report indicating the key ID and the CPS which was used

Re: Audits for new subCAs

Entrust does the following: - Each subCA certificate is created through a audited ceremony. The auditor creates a report indicating the key ID and the CPS which was used for key generation. - When it is time for the subCA to go into production, an intermediate certificate is issued from a root.

Re: Audits for new subCAs

Both :) Having a new audit per online CA is going to be very expensive and cause TSPs heavily limit the number of online CAs they have. Additionally all of these would be point-in-time audits, which only report on design of controls. Assuming the design is consistent between CAs, then there is

Re: Audits for new subCAs

Peter, Are you advocating for option #2 (TSP self-attestation) because you think that option #3 (audit) is unreasonable, or because you believe there is a benefit to Mozilla's users in a self-attestation beyond what we get from the existing requirement for CCADB disclosure? On Fri, Mar 23, 2018

Re: Audits for new subCAs

On Fri, Mar 23, 2018 at 11:34 AM, Wayne Thayer via dev-security-policy wrote: > Recently I've received a few questions about audit requirements for > subordinate CAs newly issued from roots in our program. Mozilla policy > section 5.3.2 requires these to be

Re: Audits for new subCAs

Apologies. By choosing to use the term TSP when referring to an organization operating a PKI, I thought I had made my meaning clear. I now realize I inferred "certificate" when I used the term "subordinate CA". I meant "subordinate CA certificate" in all cases where I wrote "subordinate CA" or

Re: Audits for new subCAs

On 3/23/2018 11:34 AM, Wayne Thayer wrote: > Recently I've received a few questions about audit requirements for > subordinate CAs newly issued from roots in our program. Mozilla policy > section 5.3.2 requires these to be disclosed "within a week of certificate > creation, and before any such

Re: Audits for new subCAs

On 23/03/2018 19:34, Wayne Thayer wrote: Recently I've received a few questions about audit requirements for subordinate CAs newly issued from roots in our program. Mozilla policy section 5.3.2 requires these to be disclosed "within a week of certificate creation, and before any such subCA is