[cabfpub] 17.5 Audit of Delegated Functions

[Rick Andrews]

CABF members,
It's come to our attention that several people are interpreting this section of BR:
17.5 Audit of Delegated Functions
If a Delegated Third Party is not currently audited in accordance with Section 17 and is not an Enterprise RA, then
prior to certificate issuance the CA SHALL ensure that the domain control validation process required under Section
11.1 has been properly performed by the Delegated Third Party by either (1) using an out-of-band mechanism
involving at least one human who is acting either on behalf of the CA or on behalf of the Delegated Third Party to
confirm the authenticity of the certificate request or the information supporting the certificate request or (2)
performing the domain control validation process itself.

to mean that a Delegated Third Party that runs an External SubCA can avoid audit indefinitely if it simply has a name constraint in the SubCA limiting the domain names that it can issue to. The CA would be complying with "(2) performing the domain control validation itself" before it put the name constraint in the SubCA.
This seems like a loophole to us, because without an audit, there's no way to be sure that the Delegated Third Party is putting properly vetted info in the Subject DN field, and populating certs with the required extensions.
I doubt this was the intent, because I had the impression that most people thought External SubCAs were a risky practice that needed to be more tightly controlled. This seems to allow them to be less tightly controlled. Comments?
-Rick


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121221/652f403b/attachment-0003.html>