[cabfpub] Name Constraints, Auditing and EKU

Rick Andrews Rick_Andrews at symantec.com
Sat Apr 6 01:35:26 UTC 2013


The last time we discussed this on the CABF call, I expressed concern about the idea of technically-constrained certs not needing a third-party audit. We may be putting ourselves in a situation where we'll have to answer some tough questions:

-           If a CA is qualified to perform audits on its Delegated Third Parties, why can't the CA audit itself? Why require a third party for the CA but not its delegates? All certs chain to the same trusted roots, and have the capability to do the same damage.

-          What about the conflict of interest created by that business arrangement? What's to keep CAs from rubber stamping audits of delegates because they stand to lose money if they don't?

-          Does this create a moral hazard where the Delegate might intentionally violate the BRs because they won't bear much of the cost? (their certificate(s) will get revoked, but the CA may have its roots untrusted as a result).

-          The BRs are only as strong as their weakest link, and isn't this a weak link?

I'd feel better about this if we had good answers to these questions.


From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Steve Roylance
Sent: Wednesday, March 27, 2013 6:50 AM
To: public at cabforum.org
Subject: [cabfpub] Name Constraints, Auditing and EKU

Dear all,

(Thanks Ben Wilson for helping me remove the minor mistakes in my initial draft)

Please see the attached (Word and PDF versions) as a suggested update to the BRs to address the gaps we saw when viewing the guidelines with multiple parties over the last couple of months.

My 10,000 ft view (Which I hope is expressed clearly by the changes proposed)

 1.   All CAs are Audited or Technically constrained  (as Mozilla's Rev 2.1 Policy now States so in reality it's applicable to everyone already)
 2.  There's no ability to opt out as BRs as they apply to all Roots and Subordinate CAs whether or not they are owned/run by the root authority or another Subordinate Authority lower down the chain.  i.e. no gaps as it's the weak points that will hurt the industry.
 3.  The only exception in section 17 is that Technically constrained or not, the quarterly self audits should be done as that checks compliance to the other areas.
Note that I added the section on SubCA subject naming as although it could be inferred from the issuer logic that section seemed to be more focused on Roots.

I'm looking for a couple of volunteers to whip this into shape.  Any takers?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130405/03583d99/attachment-0002.html>

More information about the Public mailing list