[cabfpub] 17.5 Audit of Delegated Functions

Ben Wilson ben at digicert.com
Fri Dec 21 12:12:18 MST 2012


That does not meet the definition of a Delegated Third Party.

 

From: Rick Andrews [mailto:Rick_Andrews at symantec.com] 
Sent: Friday, December 21, 2012 12:07 PM
To: ben at digicert.com; public at cabforum.org
Subject: RE: [cabfpub] 17.5 Audit of Delegated Functions

 

Right, I'm not talking about Enterprise CAs or RAs; external (to the CA)
parties that the CA has granted the right to sign their own certificates (by
way of the CA signing the  party's intermediate CA and including a name
constraint in that intermediate). I think that meets the definition of
Delegated Third Party. Is it the intent of the BRs not require them to be
audited?

 

-Rick

 

From: Ben Wilson [mailto:ben at digicert.com] 
Sent: Friday, December 21, 2012 10:53 AM
To: Rick Andrews; public at cabforum.org
Subject: RE: [cabfpub] 17.5 Audit of Delegated Functions

 

Rick, 

Just so I understand your question more fully, you're talking about an
external sub CA relying on name constraints and not an "Enterprise RA" or
internal sub CA that is technically constrained in other ways?   When the
BRs use the phrase "Delegated Third Party" (including in Section 11), that
term means "a natural person or Legal Entity that is not the CA."

Ben 

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Friday, December 21, 2012 11:43 AM
To: public at cabforum.org
Subject: [cabfpub] 17.5 Audit of Delegated Functions

 

CABF members,

It's come to our attention that several people are interpreting this section
of BR:

17.5 Audit of Delegated Functions

If a Delegated Third Party is not currently audited in accordance with
Section 17 and is not an Enterprise RA, then

prior to certificate issuance the CA SHALL ensure that the domain control
validation process required under Section

11.1 has been properly performed by the Delegated Third Party by either (1)
using an out-of-band mechanism

involving at least one human who is acting either on behalf of the CA or on
behalf of the Delegated Third Party to

confirm the authenticity of the certificate request or the information
supporting the certificate request or (2)

performing the domain control validation process itself.

to mean that a Delegated Third Party that runs an External SubCA can avoid
audit indefinitely if it simply has a name constraint in the SubCA limiting
the domain names that it can issue to. The CA would be complying with "(2)
performing the domain control validation itself" before it put the name
constraint in the SubCA.

This seems like a loophole to us, because without an audit, there's no way
to be sure that the Delegated Third Party is putting properly vetted info in
the Subject DN field, and populating certs with the required extensions.

I doubt this was the intent, because I had the impression that most people
thought External SubCAs were a risky practice that needed to be more tightly
controlled. This seems to allow them to be less tightly controlled.
Comments?

-Rick

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20121221/5f65eb01/attachment-0001.html 


More information about the Public mailing list