[cabfcert_policy] CA vs. CAO

[Dimitris Zacharopoulos]

On 23/11/2016 5:19 μμ, Tim Hollebeek wrote:
>
> Right. That’s another argument against using TSP.  A TSP need not even 
> be a CA, as they need not issue certificates.  I’m pretty sure many of 
> the usages of CA in the BRs would be impossible to interpret or even 
> nonsensical for an organization that doesn’t issue certificates.
>
> Such an organization is not in scope for the BRs, of course, but it 
> shows why using a looser definition could cause significant 
> misunderstandings and doesn’t add any clarity.
>
> -Tim
>

I think the "big picture" would include rules in the BRs for all 
"operational units", currently included in the BRs which can't be 
audited separately. For example, we hear from auditors the need to have 
some kind of specific rules that RAs must follow if these tasks are to 
be delegated and audited separately. The same might happen for 
validation services like OCSP and CRL providers (including CDNs, etc).

If this was ever to happen, it would make sense to set BRs for "TSPs" 
(or another broader definition than the current one) and then specify 
rules for "CAs" (almost as we know it today), RAs (taking parts from the 
current BRs associated with entity validation, revocation, etc), 
Certificate Validation Services (OCSP, CRL, CT) and so on.

Dimitris.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/policyreview/attachments/20161124/0a5580a9/attachment.html>