info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Publicly disclosed and audited policy
49 views
Skip to first unread message
Peter Bowen
Jun 15, 2015, 9:55:05 PM6/15/15
to dev-secur...@lists.mozilla.org
The Mozilla CA Certificate policy says that all certificates which are
capable of being used to issue new certificates must either be
technically constrained or be publicly disclosed and audited.
For certificates in the latter category, there are several requirements.
I'm hoping to get clarity on two of the requirements.
First, the policy says "All disclosure MUST be made freely available and
without additional requirements, including, but not limited to,
registration, legal agreements, or restrictions on redistribution of the
certificates in whole or in part."
If I read this very strictly, then all the items being disclosed have to
essentially be public domain (Creative Commons Public Domain Declaration
or similar), as most any license places requirements on redistribution.
However I don't think that is probably the intent of the requirement.
Is there a list of what restrictions are acceptable or unacceptable?
Second, the policy says an "annual public attestation of conformance to
the stated certificate verification requirements and other operational
criteria by a competent independent party or parties with access to the
details of the subordinate CA’s internal operations" must be provided.
I'm not clear on what Mozilla expects here when standing up a new
subordinate and disclosing it for the first time. Assuming the operator
has an audit program in place, it is possible that it will be 12+ months
until they have an opinion from their auditor that calls out the new
subordinate (11 months to complete the current period plus up to 60 days
to get opinion). Does the operator just provide a link to their current
audit opinion and a statement that the new certificate will be included
in the audit program?
Thanks,
Peter
capable of being used to issue new certificates must either be
technically constrained or be publicly disclosed and audited.
For certificates in the latter category, there are several requirements.
I'm hoping to get clarity on two of the requirements.
First, the policy says "All disclosure MUST be made freely available and
without additional requirements, including, but not limited to,
registration, legal agreements, or restrictions on redistribution of the
certificates in whole or in part."
If I read this very strictly, then all the items being disclosed have to
essentially be public domain (Creative Commons Public Domain Declaration
or similar), as most any license places requirements on redistribution.
However I don't think that is probably the intent of the requirement.
Is there a list of what restrictions are acceptable or unacceptable?
Second, the policy says an "annual public attestation of conformance to
the stated certificate verification requirements and other operational
criteria by a competent independent party or parties with access to the
details of the subordinate CA’s internal operations" must be provided.
I'm not clear on what Mozilla expects here when standing up a new
subordinate and disclosing it for the first time. Assuming the operator
has an audit program in place, it is possible that it will be 12+ months
until they have an opinion from their auditor that calls out the new
subordinate (11 months to complete the current period plus up to 60 days
to get opinion). Does the operator just provide a link to their current
audit opinion and a statement that the new certificate will be included
in the audit program?
Thanks,
Peter
Gervase Markham
Jun 17, 2015, 9:07:04 AM6/17/15
to Peter Bowen
On 16/06/15 02:54, Peter Bowen wrote:
> First, the policy says "All disclosure MUST be made freely available and
> without additional requirements, including, but not limited to,
> registration, legal agreements, or restrictions on redistribution of the
> certificates in whole or in part."
>
> If I read this very strictly, then all the items being disclosed have to
> essentially be public domain (Creative Commons Public Domain Declaration
> or similar), as most any license places requirements on redistribution.
> However I don't think that is probably the intent of the requirement.
> Is there a list of what restrictions are acceptable or unacceptable?
We are currently trying to work this out in the context of the CAB
> First, the policy says "All disclosure MUST be made freely available and
> without additional requirements, including, but not limited to,
> registration, legal agreements, or restrictions on redistribution of the
> certificates in whole or in part."
>
> If I read this very strictly, then all the items being disclosed have to
> essentially be public domain (Creative Commons Public Domain Declaration
> or similar), as most any license places requirements on redistribution.
> However I don't think that is probably the intent of the requirement.
> Is there a list of what restrictions are acceptable or unacceptable?
Forum. My current proposal is that we require CAs to provide their
documentation (CP and CPS) under any Creative Commons license which does
not include "NonCommercial". In other words, CC-BY, CC-BY-SA or CC-BY-ND.
I would commend either of the first two, but CC-BY-ND is allowed for CAs
who do not wish others to make derivative works of their documentation.
> I'm not clear on what Mozilla expects here when standing up a new
> subordinate and disclosing it for the first time. Assuming the operator
> has an audit program in place, it is possible that it will be 12+ months
> until they have an opinion from their auditor that calls out the new
> subordinate (11 months to complete the current period plus up to 60 days
> to get opinion). Does the operator just provide a link to their current
> audit opinion and a statement that the new certificate will be included
> in the audit program?
Gerv
Kathleen Wilson
Jun 17, 2015, 2:44:08 PM6/17/15
to mozilla-dev-s...@lists.mozilla.org
>> I'm not clear on what Mozilla expects here when standing up a new
>> subordinate and disclosing it for the first time. Assuming the operator
>> has an audit program in place, it is possible that it will be 12+ months
>> until they have an opinion from their auditor that calls out the new
>> subordinate (11 months to complete the current period plus up to 60 days
>> to get opinion). Does the operator just provide a link to their current
>> audit opinion and a statement that the new certificate will be included
>> in the audit program?
Yes. I think that's a reasonable approach.
>> subordinate and disclosing it for the first time. Assuming the operator
>> has an audit program in place, it is possible that it will be 12+ months
>> until they have an opinion from their auditor that calls out the new
>> subordinate (11 months to complete the current period plus up to 60 days
>> to get opinion). Does the operator just provide a link to their current
>> audit opinion and a statement that the new certificate will be included
>> in the audit program?
Kathleen
0 new messages