Question about BR audit

[Kathleen Wilson]

All,

I received the following question from an auditor, and would appreciate
hearing your opinions on it. This question is in regards to a new CA
inclusion request. New CAs are frequently not members of the CA/Browser
Forum, so they tend to find out about the Baseline Requirements audit
when they apply for inclusion.

> For those CA who have done the compliance with the Baseline Requirements
> for the first time, will your root certificate program accept a
> point-in-time readiness assessment audit against the WebTrust Baseline
> Requirements Program?


For reference, our documented expectations are here:
https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Audit_Criteria

Thanks,
Kathleen

[Henri Sivonen]

On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson <kwi...@mozilla.com> wrote:
> New CAs are frequently not members of the CA/Browser Forum,

I guess that's reasonable.

> so they tend to find out about the Baseline Requirements audit when
> they apply for inclusion.

The idea that an organization wants to run a globally-trusted CA but
has not found out about the Baseline Requirements before applying
seems pretty scary.

--
Henri Sivonen
hsiv...@hsivonen.fi
https://hsivonen.fi/

[Kathleen Wilson]

On 3/4/14, 8:00 AM, Rich Smith wrote:

> On Mon, Mar 3, 2014 at 8:33 PM, Kathleen Wilson wrote:
>
>> For those CA who have done the compliance with the Baseline Requirements
>> for the first time, will your root certificate program accept a
>> point-in-time readiness assessment audit against the WebTrust Baseline
>> Requirements Program?
>
>
>

> Lacking full information, I assume this means that as a new CA, they have no
> (or very little) issued track record of BR compliant certificates upon which
> to base a full compliance audit, so are asking if a point in time readiness
> assessment of BR compliance is sufficient. If my assumption of the
> situation is correct, it seems a reasonable request.
>

Yes, your assumption is correct.

Accepting a point-in-time BR audit from a new CA means that the
previously issued certs that are still valid may be non-compliant with
the BRs in worse ways than not having an OCSP URI in the AIA. However,
the same could be true of the CAs currently in Mozilla's program who
issued long-lived certs before the BRs went into effect.

Of course, a full WebTrust CA or ETSI TS 102 042 audit is required
before a CA's inclusion request may be considered (when they are asking
for the websites trust bit to be enabled).

Thanks,
Kathleen

[Kathleen Wilson]

Based on the discussion so far, it appears that folks are OK with new
CAs getting a point-in-time readiness assessment audit the first time
they get a Baseline Requirements audit, as long as the CA has also been
getting the other audits (WebTrust CA or ETSI TS 102 042) done annually.

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

Currently says:
"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy."

Mozilla's CA Certificate Policy version 2.1 and later requires a BR
audit, but doesn't say anything about a point-in-time readiness audit.

How about if I update the wiki page as follows?

"Any Certificate Authority being considered for root inclusion after
February 15, 2013 must comply with Version 2.1 of Mozilla's CA
Certificate Policy. This includes having a Baseline Requirements audit
performed if the websites trust bit is to be enabled. Note that the CA's
first Baseline Requirements audit may be a Point in Time audit."

Thanks,
Kathleen

[Kathleen Wilson]

I made the proposed change to the wiki page.

https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_Frames_for_included_CAs_to_comply_with_the_new_policy

"Any Certificate Authority being considered for root inclusion after

February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA

Certificate Policy. This includes having a Baseline Requirements audit
performed if the websites trust bit is to be enabled. Note that the CA's
first Baseline Requirements audit may be a Point in Time audit."

Please let me know if you see any problems with this change.

Thanks,
Kathleen

PS: I also updated a few of the links in that page.

[Chema López]

I think this is okey.

m...@chemalogo.com
+34 666 429 224 (Spain)
gplus.to/chemalogo
@chemalogo <https://twitter.com/chemalogo/>
www.linkedin.com/in/chemalogo
Skype: chemalogo

On Tue, Mar 11, 2014 at 12:19 AM, Kathleen Wilson <kwi...@mozilla.com>wrote:

> On 3/6/14, 9:58 AM, Kathleen Wilson wrote:
>

> I made the proposed change to the wiki page.
>
> https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Time_
> Frames_for_included_CAs_to_comply_with_the_new_policy

> "Any Certificate Authority being considered for root inclusion after

> February 15, 2013 must comply with Version 2.1 or later of Mozilla's CA

> Certificate Policy. This includes having a Baseline Requirements audit
> performed if the websites trust bit is to be enabled. Note that the CA's
> first Baseline Requirements audit may be a Point in Time audit."
>

> Please let me know if you see any problems with this change.
>
> Thanks,
> Kathleen
>
> PS: I also updated a few of the links in that page.
>
>
>
>
>
>
>
>
>
>

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>