Cradle-to-Grave Contiguous Audits #153
Comments
|
From the perspective of the ETSI/ACAB’c auditors we fully support the suggested policy change. In order to make it round it should be added on top
Best regards |
|
I'm trying to understand the second bullet a bit more. Is the expectation that for the Point-in-Time for WT or Audit initialization for ETSI, the Root must not have issued any certificate? SubCA or end-entity under a subCA chained to that Root? |
We need to discuss this and decide what the specific requirements should be. I believe that the PIT (or ETSI equivalent) should happen before or soon after the root signs the first certificate. This is currently a major area of confusion. |
|
A few sentences could be tacked on to the end of that 4th paragraph under section 7.1 of the Mozilla Root Store Policy. It could be effective immediately upon adoption in the MRSP. It could say, "For new inclusion requests, the following are required: the submission of a key generation ceremony report from a qualified auditor that witnessed the ceremony; bulleted items from Comment 1; etc." For "POT audits must continue until root is removed from program", that probably belongs in section 3.1.3, and bullet 4 above is already covered in that section. (Also note that this is related to Issue 139.) |
This commit attempts to address issues 139, 153 and 173 mozilla#139 mozilla#153 mozilla#173
There was redundant language not removed during editing of last commit related to Issues mozilla#153 and mozilla#173
BenWilson-Mozilla
changed the title
|
Regarding...
Is Mozilla imposing this to CAs new entering in the program with its first Root or to any Root CA added to the program, even if the entity is already member? I'm asking this because when we added the last two Roots we were always presenting the PiT and 3-month report, despite of being already in the program, because that's the interpretation that our auditors do of the policy, but I think I have seen other Roots added without a PiT, but just presenting an annual report where the Root was added at some point to the rest of CAs. I think it would be good to clarify this point with a more strict wording. Thanks, |
The distinction should be based on whether or not the root will be added to an "existing" audit. If a CA has current audits at the time the new CA certificate is issued, and that CA certificate falls under the same CP/CPS as the current audit covers and the CA certificate will be added to the scope of that audit at the next PoT, then no PiT is required. |
Now that the WebTrust Key Protection report is available, I think it should be included in these requirements. Specifically, when a CA is starting up (i.e. they do not have a current PoT audit at the time of the key generation and root signing), then a Key Protection PoT report should be required to cover the period of time between the key generation and the WebTrust PiT (which should also be the start of the regular WebTrust/BR PoT), thus providing contiguous audit coverage from the time of key generation onward. I believe this requirement eliminates the need for the 'before/after' timing requirements for the WTCA + BR PiT in the second bullet because the CA keys/certificates will be covered by the Key Protection PoT. It will be necessary to confirm that this additional requirement can be met under an ETSI audit scheme. |
Added "This cradle-to-grave audit requirement applies equally to subordinate CAs as it does to root CAs."
Section 7.1 states "Before being included, CAs MUST provide evidence that their CA certificates have continually, from the time of creation, complied with the then-current Mozilla Root Store Policy and Baseline Requirements."
There are a number of questions about how a CA is expected to comply with this policy with a combination of RKGC, PIT, and POT audit reports.
Our expectation for CAs new to the program should be:
The text was updated successfully, but these errors were encountered: