RA definitions: Almost anything is an RA #424
Comments
|
Note that for the first definition, the first part is pretty good, but then it uses weasel words to basically contradict everything in the clear first half. |
No, because I would argue he is not a Legal Entity. Having said that, I agree with you. The second part seems to contract the first part in some ways. I would guess this was written in a time before there was WebTrust for RAs. Should this definition be closer related to an audited entity? It seems we already have a carveout definition for Enterprise RA, so that should not be any direct issue (But lets make sure it's not) |
|
"RA" has always been a generic term for a subset of CA functions that are often delegated. See sections D.1.3.1 and D.1.3.2 of the PKI Assessment Guidelines, which I can provide, or can be found here https://theworld.com/~goldberg/pagv30.pdf or here https://tglassey.files.wordpress.com/2018/05/pagv30.pdf. |
|
Yes, I'm aware that this level of vagueness is historical and traditional. I'm just arguing that it's also undesirable :) |
|
Another consideration for this update, whenever it takes place --- it also seems there’s room for improvement in defining “enterprise RA” and "delegated third party" (functionally introduced in 1.3.2 "Registration Authorities"). Definitions from the BRs:
Interpretation:
Intended outcome: Improve clarity and more explicitly represent the relationship between these roles (and expected audit coverage). |
|
I think the Enterprise RA role is really limited to it definition of authorizing issuance of certificates. The text in section 1.3.2 is about how the CA decides the certificate has a domain, the Enterprise RA can approve issuance. Section 8.4 does not require monitoring or audit. In addition, the BRs define Applicant Representative: A natural person or human sponsor who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant: i. who signs and submits, or approves a certificate request on behalf of the Applicant, and/or ii. who signs and submits a Subscriber Agreement on behalf of the Applicant, and/or iii. who acknowledges the Terms of Use on behalf of the Applicant when the Applicant is an Affiliate of the CA or is the CA. This role can approve a certificate request, so really approve certificate issuance. The other references tie the Applicant Representative to certificate requests. There are no monitoring or audit requirements. So why do we have two different Subscriber roles who can approve certificate issuance, but have different terms in how they will be used? In both cases the Enterprise RA and the Applicant Representative are not RAs as defined in the BRs, are not performing tasks delegated by the CA, so are not Delegated Third Parties. So agree, we need to improve clarity and also simplify if we can. |
|
Move to the Definitions&Glosary WG |
Baseline requirements: "Registration Authority (RA): Any Legal Entity that is responsible for identification and authentication of subjects of Certificates, but is not a CA, and hence does not sign or issue Certificates. An RA may assist in the certificate application process or revocation process or both. When “RA” is used as an adjective to describe a role or function, it does not necessarily imply a separate body, but can be part of the CA."
RFC 5280: "registration authority, i.e., an optional system to which a CA delegates certain management functions;"
These definitions are so broad as to be practically meaningless. It has been noted internally that our CA Product Manager assists with issuance, is part of a CA, and performs certain management functions. Is he an RA? If we're going to write requirements for RAs, a good first step would be defining what one actually is.
The text was updated successfully, but these errors were encountered: