<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.emailquote, li.emailquote, div.emailquote
{mso-style-name:emailquote;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:1.0pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle19
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle20
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rick,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>In looking at this more, I note that the definition uses the phrase “the CA” rather than “a CA.” So it isn’t as clear as I thought. But here are a couple of other considerations – <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>1. The BRs do not adequately distinguish between internal and external CAs. The definition of a CA is “[a]n organization that is responsible for the creation, issuance, revocation, and management of Certificates. The term applies equally to both Roots CAs and Subordinate CAs.” So strike one (external CAs are within this definition and not excepted out). <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>2. Section 8.1 requires CAs to comply not just with the Requirements but also with the audit requirements of Section 17. Even assuming that there was an exception to auditing, any CA still needs to comply with all of the other requirements. In other words, the contractual delegation of CA duties from one CA to another CA still requires that ALL of the CA duties are performed and that there are no gaps in the performance of those duties. That would require that someone review them and that they are included in one CA’s or the other CA’s audit. Anyone with a CA that is publicly trusted has to anticipate that there will be compliance costs in order to remain publicly trusted—there is no “free ride.” So strike two.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>3. The closest that we got in mentioning external CAs during version 1.0 of the BRs was in section 8.4 (Trust Model) where we say, “The CA SHALL disclose all Cross Certificates that identify the CA as the Subject, provided that the CA arranged for or accepted the establishment of the trust relationship (i.e. the Cross Certificate at issue).” Therefore, a publicly trusted CA will disclose its external CAs, and that disclosure will lead to an understanding of the trust model (e.g. SSL Observatory). If it is a true external sub CA, then maybe we should have defined external sub CA and included them in section 8.4, since “Cross Certificate” is defined as “A certificate that is used to establish a trust relationship between two Root CAs.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>4. The BRs do not grant an exception for CAs that are technically constrained. This was something that was discussed in parallel on the Mozilla list. I would have to look through our minutes and mailing list history to see what was said here about technical constraints. However, there was some discussion because we added a footnote in Section F of Intermediate CAs in Appendix B that says, “Non-critical Name Constraints are an exception to RFC 5280 that MAY be used until the Name Constraints extension is supported by Application Software Suppliers whose software is used by a substantial portion of Relying Parties worldwide." There has, however, been debate in PKIX about allowing non-critical Name Constraints because in not breaking one thing we may be breaking another. (Those who use Name Constraints as a solution want it to work 100% of the time.) So, because there is no clear exception, I’d say strike three.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I’m sure there are other arguments for either side of this issue, so I won’t go through the BRs any more to spot more relevant provisions.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Cheers,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ben<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> public-bounces@cabforum.org [mailto:public-bounces@cabforum.org] <b>On Behalf Of </b>Ben Wilson<br><b>Sent:</b> Friday, December 21, 2012 12:12 PM<br><b>To:</b> 'Rick Andrews'; public@cabforum.org<br><b>Subject:</b> Re: [cabfpub] 17.5 Audit of Delegated Functions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>That does not meet the definition of a Delegated Third Party.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rick Andrews [<a href="mailto:Rick_Andrews@symantec.com">mailto:Rick_Andrews@symantec.com</a>] <br><b>Sent:</b> Friday, December 21, 2012 12:07 PM<br><b>To:</b> <a href="mailto:ben@digicert.com">ben@digicert.com</a>; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] 17.5 Audit of Delegated Functions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Right, I’m not talking about Enterprise CAs or RAs; external (to the CA) parties that the CA has granted the right to sign their own certificates (by way of the CA signing the party’s intermediate CA and including a name constraint in that intermediate). I think that meets the definition of Delegated Third Party. Is it the intent of the BRs not require them to be audited?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>-Rick<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Ben Wilson [<a href="mailto:ben@digicert.com">mailto:ben@digicert.com</a>] <br><b>Sent:</b> Friday, December 21, 2012 10:53 AM<br><b>To:</b> Rick Andrews; <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> RE: [cabfpub] 17.5 Audit of Delegated Functions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Rick, <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Just so I understand your question more fully, you’re talking about an external sub CA relying on name constraints and not an “Enterprise RA” or internal sub CA that is technically constrained in other ways? When the BRs use the phrase “Delegated Third Party” (including in Section 11), that term means “a natural person or Legal Entity that is not the CA.”<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Ben <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> <a href="mailto:public-bounces@cabforum.org">public-bounces@cabforum.org</a> [<a href="mailto:public-bounces@cabforum.org">mailto:public-bounces@cabforum.org</a>] <b>On Behalf Of </b>Rick Andrews<br><b>Sent:</b> Friday, December 21, 2012 11:43 AM<br><b>To:</b> <a href="mailto:public@cabforum.org">public@cabforum.org</a><br><b>Subject:</b> [cabfpub] 17.5 Audit of Delegated Functions<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>CABF members,<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>It’s come to our attention that several people are interpreting this section of BR:<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><b><span style='font-family:"Calibri","sans-serif"'>17.5 Audit of Delegated Functions</span></b><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>If a Delegated Third Party is not currently audited in accordance with Section 17 and is not an Enterprise RA, then</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>prior to certificate issuance the CA SHALL ensure that the domain control validation process required under Section</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>11.1 has been properly performed by the Delegated Third Party by either (1) using an out-of-band mechanism</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>involving at least one human who is acting either on behalf of the CA or on behalf of the Delegated Third Party to</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>confirm the authenticity of the certificate request or the information supporting the certificate request or (2)</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'>performing the domain control validation process itself.</span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>to mean that a Delegated Third Party that runs an External SubCA can avoid audit indefinitely if it simply has a name constraint in the SubCA limiting the domain names that it can issue to. The CA would be complying with “(2) performing the domain control validation itself” before it put the name constraint in the SubCA.<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>This seems like a loophole to us, because without an audit, there’s no way to be sure that the Delegated Third Party is putting properly vetted info in the Subject DN field, and populating certs with the required extensions.<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>I doubt this was the intent, because I had the impression that most people thought External SubCAs were a risky practice that needed to be more tightly controlled. This seems to allow them to be less tightly controlled. Comments?<o:p></o:p></span></p></div><div style='margin-top:5.0pt;margin-bottom:5.0pt'><p class=MsoNormal><span style='font-family:"Calibri","sans-serif"'>-Rick<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Calibri","sans-serif"'> </span><span style='font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div></div></body></html>