[cabfpub] BRs, audits and historical point-in-time events

Gervase Markham gerv at mozilla.org
Wed Jul 23 10:53:06 UTC 2014


On 23/07/14 11:38, tScheme Technical Manager wrote:
> I must say that I find it hard to imagine what retrospective requirement
> could be resolved by script and video - "only three people in the room"
> might do it.

Well, these are the requirements of the BRs:

For Root CA Key Pairs created after the Effective Date ... the CA SHALL:
1. prepare and follow a Key Generation Script,
2. have a Qualified Auditor witness the Root CA Key Pair generation
process or record a video of the entire Root CA Key Pair generation process
3. have a Qualified Auditor issue a report opining that the CA followed
its key ceremony during its Key and Certificate generation process and
the controls used to ensure the integrity and confidentiality of the Key
Pair.

The question is: if a CA has done 1) and 2), can the Qualified Auditor,
perhaps with reference to the script and video, issue the report
mentioned in 3) even if they were unaware of these paragraphs of
requirements at the time?

The auditor needs to opine that the CA followed its ceremony. Would
reviewing the video and script allow them to opine that?

The auditor needs to opine that (and the grammar in the BRs seems a
little odd here) the CA used controls to ensure the integrity and
confidentiality of the key pair. Would reviewing the script and video
allow them to opine that?

If the answer to those two questions is yes, then we are sorted.

What do you think it is?

> I though the BRs put stricter requirements on the CA in terms of how it
> performs and secures it processes - unlikely to be evidenced by S & V - and
> on its Certificate contents and CPs - which presumably could be analysed
> post-event to see if they would have complied at the time.

Can you give examples of things that you think 17.7 requires auditors to
check, which would not be evidenced by the S & V?

Gerv



More information about the Public mailing list