[cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Apr 27 21:10:25 UTC 2017

On your proposal at the end below (one auditor covers the CA and all subordinate DTPs) - that sounds like a good idea to me, so long as the main WebTrust auditor for MegaCA is able to subcontract certain audit tasks to qualified WebTrust auditors (perhaps with another company) who speak Freedonian.  The main auditor would be responsible for picking a qualified WebTrust auditor to do the work in Freedonia, and would roll the results into the main audit.

We should perhaps check with Jeff Ward to see if this kind of link between two auditors is possible.

-----Original Message-----
From: geoffk at apple.com [mailto:geoffk at apple.com] 
Sent: Thursday, April 27, 2017 2:02 PM
To: Kirk Hall <Kirk.Hall at entrustdatacard.com>
Cc: Gervase Markham <gerv at mozilla.org>; CA/Browser Forum Public Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Forbid DTPs from doing Domain/IP Ownership Validation ballot draft

> On 27 Apr 2017, at 11:57 am, Kirk Hall <Kirk.Hall at entrustdatacard.com> wrote:
> You have identified one case where an external RA (DTP) was not known to you -- I believe it was the Korean partner of Symantec, right?  Have you encountered any other cases that are similar?
> In the Symantec case, you and Google have taken major action involving Symantec, the Korean DTP, and I think even the Korean auditor.  Is that not sufficient?

The point here is that we would like not to have to do that again.

The problem wasn’t just one DTP; in fact, there were two distinct problems, there was one DTP who had an apparently clean audit but had some improperly issued certificates, and then when the audits for the other DTPs were examined, there were a variety of irregularities.  This proposal is addressing the second problem.

> Why not require CAs to list all DTPs relied on as an appendix to their audits, with links to the related audits of the DTPs?  I think Geoff suggested something like that (and he was in the same meeting I was, and presumably heard all the same discussion I did - no malice there).

Not exactly.  My alternative was that all the DTPs be audited in the same audit as the CA.  One audit report signed by one auditor, no links, no mismatched timeframes, no qualifications on the DTP that don’t get reflected in the CA’s audit, and definitely no missing audits.

More information about the Public mailing list