Scott Perry request to be accepted as a CA auditor for Mozilla purposes
Frank Hecker
Dilley to be accepted for Mozilla purposes as a qualified person to do
CA audits. As a result of Brian's request I now have a similar request
from Scott Perry of Slalom Consulting <http://www.slalom.com/>. Like
Brian, Scott has been involved in doing audits of enterprise PKIs.
Before I make a decision on whether to accept Scott as a "competent
independent party" for purposes of the Mozilla CA certificate policy, I
wanted to provide an opportunity for all of you to review Scott's
qualifications. Scott has provided me with some background material on
his practice:
http://hecker.org/mozilla/slalom-pki-fact-sheet.pdf
http://hecker.org/mozilla/slalom-pki-audit-methodology.pdf
He'll also be glad to answer any questions you might have about his
experience.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
Ian G
accepting Scott Perry for audits on which Mozilla relies.
iang
Eddy Nigg
It's not entirely clear to me which audit criteria Scott intends to use.
In relation to that, we need to update the Mozilla CA policy to reflect
the requested changes concerning acceptable audit criterion.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org
Eddy Nigg
> I've read briefly the PDFs below and they look fine to me. I'd
> suggest accepting Scott Perry for audits on which Mozilla relies.
>
Ian, a while ago you asked Frank if you were automatically accepted as
an acceptable auditor. At that time I was a bit busy with other things,
but I'd like to request from both of you, if yourself could be
introduced by Frank in the same manner as Brian and Scott. Additionally
I'd like to know if it's OK to raise questions concerning your attempt
to audit CAcert (as you publicly confirmed) together with such an
introduction of yourselves?
Ian G
> On 05/13/2009 09:17 PM, Ian G:
>> I've read briefly the PDFs below and they look fine to me. I'd suggest
>> accepting Scott Perry for audits on which Mozilla relies.
>>
>
> Ian, a while ago you asked Frank if you were automatically accepted as
> an acceptable auditor. At that time I was a bit busy with other things,
> but I'd like to request from both of you, if yourself could be
> introduced by Frank in the same manner as Brian and Scott.
Sure, as long as it is next week or later.
> Additionally
> I'd like to know if it's OK to raise questions concerning your attempt
> to audit CAcert (as you publicly confirmed) together with such an
> introduction of yourselves?
No problem. CAcert is an open organisation and the audit is open.
iang
Eddy Nigg
Fantastic! I think the timing is not important. Additionally I think the
two subjects from above don't have to be tied to each other. But I'd
like to comment on both if possible.
Frank Hecker
> It's not entirely clear to me which audit criteria Scott intends to use.
Sorry, I should have made that clear. As with Brian, Scott would use any
of the standard audit criteria we already accept, until/unless we decide
to accept additional criteria. If Brian and/or Scott want to use their
own criteria in auditing one or more CAs, that would be a different
discussion.
> In relation to that, we need to update the Mozilla CA policy to reflect
> the requested changes concerning acceptable audit criterion.
There are no such requested changes, at least not yet.
Eddy Nigg
> Eddy Nigg wrote:
>> It's not entirely clear to me which audit criteria Scott intends to use.
>
> Sorry, I should have made that clear. As with Brian, Scott would use
> any of the standard audit criteria we already accept, until/unless we
> decide to accept additional criteria. If Brian and/or Scott want to
> use their own criteria in auditing one or more CAs, that would be a
> different discussion.
OK
>
>> In relation to that, we need to update the Mozilla CA policy to
>> reflect the requested changes concerning acceptable audit criterion.
>
> There are no such requested changes, at least not yet.
>
What about ISO 21188? I thought we are taking it instead of ANSI X9.79-1?
Eddy Nigg
>> It's not entirely clear to me which audit criteria Scott intends to use.
>
> Sorry, I should have made that clear. As with Brian, Scott would use
> any of the standard audit criteria we already accept, until/unless we
> decide to accept additional criteria. If Brian and/or Scott want to
> use their own criteria in auditing one or more CAs, that would be a
> different discussion.
>
Just another thought/question. Would Mozilla accept an EV audit
performed by Brian or Scott? I assume not, but I'm asking nevertheless...
Frank Hecker
> Just another thought/question. Would Mozilla accept an EV audit
> performed by Brian or Scott?
No, because (unless things have changed since I looked last) the present
EV guidelines require an audit according to the WebTrust EV criteria,
and neither Brian or Scott are authorized to do WebTrust audits.
Frank Hecker
> What about ISO 21188? I thought we are taking it instead of ANSI X9.79-1?
We never reached a final conclusion on ISO 21188, in large part because
I never had time to obtain a copy of ISO 21188 and compare it to ANSI
X9.9-1 :-(
I'm willing to look at the issue again, but to be honest it's not a
major priority for me unless someone comes to us actually wanting to do
an audit against ISO 21188.
Eddy Nigg
> Eddy Nigg wrote:
>> What about ISO 21188? I thought we are taking it instead of ANSI
>> X9.79-1?
>
> We never reached a final conclusion on ISO 21188, in large part
> because I never had time to obtain a copy of ISO 21188 and compare it
> to ANSI X9.9-1 :-(
>
> I'm willing to look at the issue again, but to be honest it's not a
> major priority for me unless someone comes to us actually wanting to
> do an audit against ISO 21188.
I've been talking with Brian about ISO 21188 and lots of other stuff.
Perhaps because of that it appeared to me as if it's a closed deal :-)
As such even though I haven't read it either, it seems that Microsoft
also accepts it and would therefore would be a good reason for accepting
it here as well, also since Brian basically uses the ISO 21188 criteria
IIRC. CAs could be audited with this criteria....if Mozilla doesn't
accept it, it wouldn't make much sense to get audited with ISO 21188.
Frank Hecker
> I've been talking with Brian about ISO 21188 and lots of other stuff.
> Perhaps because of that it appeared to me as if it's a closed deal :-)
>
> As such even though I haven't read it either, it seems that Microsoft
> also accepts it and would therefore would be a good reason for accepting
> it here as well, also since Brian basically uses the ISO 21188 criteria
> IIRC. CAs could be audited with this criteria....if Mozilla doesn't
> accept it, it wouldn't make much sense to get audited with ISO 21188.
Based on your comments and another person's comments off-list, I've
purchased a copy of ISO 21188 and will be comparing it to ANSI X9.79.
I'm hoping that the differences are relatively small, but we'll see.
scott...@slalom.com
wrote:
Hello everyone,
I would be prepared to attest against a standard of your choosing. I
am prevented from doing this for WebTrust since I do not represent a
CPA licenced firm (which appears to me and Brian as artificially
limiting). I have attested against CP/CPS compliance against a
properly regulated CP/CPS under RFC2527 driven by the 4 Bridgs Forum
(Federal Bridge, CertiPath(Aerospace) SAFE (Bio-Pharma) and HEBCA).
These groups have rejected previous versions of WebTrust as not being
inclusive enough.
If you feel that ISO21188 is adequate, acceptable and not limiting for
qualified auditors, I would move in this directon.
Scott Perry
Brian D
> On May 14, 10:15 am, Frank Hecker <hec...@mozillafoundation.org>
> wrote:
>
>
>
>
>
> > Eddy Nigg wrote:
> > > Perhaps because of that it appeared to me as if it's a closed deal :-)
>
> > > As such even though I haven't read it either, it seems that Microsoft
> > > also accepts it and would therefore would be a good reason for accepting
> > > it here as well, also since Brian basically uses theISO21188criteria
> > > IIRC. CAs could be audited with this criteria....if Mozilla doesn't
> > > accept it, it wouldn't make much sense to get audited withISO21188.
>
> > Based on your comments and another person's comments off-list, I've
> > I'm hoping that the differences are relatively small, but we'll see.
>
> > Frank
>
> > --
> > Frank Hecker
> > hec...@mozillafoundation.org
>
> Hello everyone,
>
> I would be prepared to attest against a standard of your choosing. I
> am prevented from doing this for WebTrust since I do not represent a
> CPA licenced firm (which appears to me and Brian as artificially
> limiting). I have attested against CP/CPS compliance against a
> properly regulated CP/CPS under RFC2527 driven by the 4 Bridgs Forum
> (Federal Bridge, CertiPath(Aerospace) SAFE (Bio-Pharma) and HEBCA).
> These groups have rejected previous versions of WebTrust as not being
> inclusive enough.
>
> If you feel that ISO21188 is adequate, acceptable and not limiting for
> qualified auditors, I would move in this directon.
>
>
> - Show quoted text -
Hey Scott, good to see you around the shop! On the ISO 21188
compliance audit standard, I have an urgent need from a large purveyor
of shared security services to have a browser acceptable audit
conducted. Since the choices for non-CPA auditing firms is limited to
ad hoc, eValidated, or ISO 21188 - I have directed the client to a
common denominator of selecting the ISO 21188 audit. As an inherent
heir to the old X9.79 criteria, this ISO 21188 audit is accepted by
the Microsoft CA program and to gain industry acceptance of a viable
non-proprietary solution, my client is trying to verify that the
Mozilla/Firefox CA program would also accept this industry open
standard.
If any one needs help in the comparison, please let me know and I can
work with you to find the differences or holes that may appear between
the X9.79 standard, now accepted by Mozilla/Firefox, and ISO 21188.
This audit has impact on up to 10 CAs that could qualify as public
trust domains. So this would be a significant bunch of CAs trusted
across multiple domains and would allow for more consistencty of
compliance between such CAs if audited against a common standard.
Any questions, please ask!
Brian