[cabfpub] BRs, audits and historical point-in-time events

Ben Wilson Ben.Wilson at digicert.com
Tue Jul 22 18:28:35 UTC 2014


Gerv, 
Am I right to understand that it is mainly the third item in 17.7 -  "3. have a Qualified Auditor issue a report opining that the CA followed its key ceremony during its Key and Certificate generation process and the controls used to ensure the integrity and confidentiality of the Key Pair?" because 1. and 2. were done, but 3. is now difficult to do?  In other words, CA Foo performed the key ceremony that met certain requirements, likely those in 17.7 1. and 2., but that the auditor was only looking at WebTrust 2.0 and WebTrust for EV 1.3 during the last audit, such that it is like water that has flowed under the bridge and cannot be measured now?
Thanks,
Ben
 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Tuesday, July 22, 2014 7:59 AM
To: cabfpub
Subject: [cabfpub] BRs, audits and historical point-in-time events

The following situation in regard to the BRs recently arose. What is the wisdom of the group?

* Ca Foo, Inc. wishes to include their root in Mozilla products.

* By Mozilla policy, this requires an audit to check they are following
  the BRs.

* CA Foo's auditors are Bar Audit Corp.

* Some time in 2012, CA Foo created a root.

* Bar Audit Corp audited that root creation process according to
  WebTrust 2.0 and WebTrust for EV 1.3.

* However, they did not audit it according to the BRs.

* The BRs require, in section 17.7, that all roots created after 1st
  July 2012 meet certain procedural criteria.

* However, Bar Audit Corp can't go back and reaudit a one-time event
  according to different criteria.

* How then can CA Foo pass its BR audit?

To generalise, the problem is that the BRs require something which is difficult to do in retrospect if you didn't do it at the time - which may be because you didn't even know about the BRs or that they were relevant to you. How do we handle that?

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public



More information about the Public mailing list