[cabfpub] BRs, audits and historical point-in-time events

tScheme Technical Manager richard.trevorah at tScheme.org
Wed Jul 23 03:38:55 MST 2014 

Gerv et al,

I must say that I find it hard to imagine what retrospective requirement
could be resolved by script and video - "only three people in the room"
might do it.

I though the BRs put stricter requirements on the CA in terms of how it
performs and secures it processes - unlikely to be evidenced by S & V - and
on its Certificate contents and CPs - which presumably could be analysed
post-event to see if they would have complied at the time.

Am I being naive - or have I missed the point somewhere?

Cheers
Richard
------------------------------------
Richard Trevorah
Technical Manager
tScheme Limited

M: +44 (0) 781 809 4728
F: +44 (0) 870 005 6311

http://www.tscheme.org
------------------------------------

The information in this message and, if present, any attachments are
intended solely for the attention and use of the named addressee(s). The
content of this e-mail and its attachments is confidential and may be
legally privileged. Unless otherwise stated, any use or disclosure is
unauthorised and may be unlawful. 

If you are not the intended recipient, please delete the message and any
attachments and notify the sender as soon as practicable



-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: 23 July 2014 10:47
To: kirk_hall at trendmicro.com; cabfpub
Subject: Re: [cabfpub] BRs, audits and historical point-in-time events

On 23/07/14 01:02, kirk_hall at trendmicro.com wrote:
> If an auditor is able to issue the sub (3) opinion based on the
> script and video, that would seem to be sufficient -- perhaps no need
> for the auditor to have been there, and this opinion could be
> prepared long after the fact.  But if the script and/or video don't
> exist, that's a problem.

If it's OK to issue the opinion based on the script and video only, that
may solve the problem.

> I'd also go to the Mozilla communications to CAs concerning Mozilla's
> date of enforcement of the BRs -- as I recall, it was something like
> starting Feb. 15, 2013.  If the root was created before that date,
> there was no actual requirement to comply with the BRs by any root
> program, despite the BRs stated effective date of July 1, 2012.
> (There was lots of discussion about this at the time.)  However, BR
> 8.3 calls for a CA to publicly commit to BR compliance in its CPS --
> did CA Foo publicly commit to following the BRs when it cut the root?
> If yes, it should have followed 17.7.

Of course, we could just give them a waiver. I'm not raising this issue
because it imperils the operation of our root program; I am concerned
that they may not be the only CA in this bucket.

Possible fixes include: allowing CAs who were not being audited to the
BRs *at the time of root generation* to skip this requirement. Or, if
both the script and video are required for all sane audit regimes
(WebTrust, ETSI, whatever) then explicitly say that it's OK to review
the script and video in giving an opinion.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list