[cabfpub] FW: Bylaw update proposal

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Tue Mar 24 15:06:57 UTC 2015

I guess my point is – who is checking to make sure a subCA is either constrained, or covered by someone’s audit?

Given that the browsers run the root programs and collect the audits, I was wondering if they knew whether all the subCAs listed below are covered by an audit.  That may be the only way to get this practice stopped.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Monday, March 23, 2015 10:22 PM
To: Kirk Hall (RD-US)
Subject: Re: [cabfpub] FW: Bylaw update proposal

On Mar 23, 2015 10:09 PM, "kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>" <kirk_hall at trendmicro.com<mailto:kirk_hall at trendmicro.com>> wrote:
> That’s a question for the browsers – Browsers, what do you say?

I'm not sure why this is a question for browsers - audit scope is audit scope. Some CAs include subordinate CAs in scope of their own audits - such as when they control and operate the infrastructure - other CAs don't.

Mozilla Root Inclusion Policy (Sections 8 and 10) require that unconstrained subordinate CAs be disclosed and audited. Mozilla CA communications from May 2014 [1] affirmed this.

I would expect that all of the CAs fall in one of the two buckets, and it's up to their issuer to decide.

From the point of view of program operation, it does not make a difference whether or not that subordinate is operated by a third party - have audit and fill out the form, will travel.

[1] https://wiki.mozilla.org/CA:Communications#May_2014_Responses

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150324/3c3fedfc/attachment-0003.html>

More information about the Public mailing list