[cabfpub] Reporting on new CAs created between audit reports

Gervase Markham gerv at mozilla.org
Fri Sep 30 15:48:55 UTC 2016


On 23/09/16 21:01, Peter Bowen wrote:
> Do others think that this is a viable path?  Would this provide the
> level of transparency and assurance that trust store operators want?

I discussed this with Kathleen. I made the point that:

> I can sort of see Peter's point - if CA Foo has 12 HSMs lined up
> in their data centre, with unconstrained intermediates in them, and it
> creates a 13th one and adds it to the rack (perhaps for scaling), that
> seems like a different situation to "OK, I have a new data centre, new
> staff, new controls, and here's my new subordinate I'm going to issue from".
> 
> Throwing out ideas: can we find a way of saying that if the new
> intermediate is kept in basically the same conditions and under the same
> controls as an existing one, then a letter attesting to that fact is
> sufficient, but if there are variances, an audit is required? Can we
> make a line here bright enough to be useful?

And Kathleen replied:

> Yes, I think that would work. Thanks!

So is there some way we could work towards that?

Gerv




More information about the Public mailing list