[cabfpub] Changing numbers of self-audited certificates
jeremy.rowley at digicert.com
Wed Jun 7 20:54:49 UTC 2017
The audits are more deficient than just the minimum number. If a CA issues a
million certs to one customer, the entire 3% audit will be that single
customer. If that system is automated, all other customers and systems are
effectively masked. I haven't figured out to expand the audit requirement
though. Perhaps a minimum that is something along the lines of the greater
of 3% of certificates with a unique profile and five cert? An alternative is
3% of certificates with a unique base domain?
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Tuesday, June 6, 2017 4:47 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [cabfpub] Changing numbers of self-audited certificates
Currently, the BRs define, in section 8.7, the parameters for self-audits
and audits of certificates below a TCSC. At the moment, the number of certs
randomly chosen to be audited is defined as "the greater of one certificate
or at least three percent of the Certificates issued".
I think that auditing just a single certificate (which is currently OK up
until 33 are issued) makes it too easy to overlook problems when volumes are
small. I propose instead a 5-certificate minimum, or 3%, whichever is
larger. In other words:
We could just change the "one" to a "five" if people thought it was obvious
that if you've issued less than five, you just audit all of them. Or we
could expand the text a bit to explicitly describe that.
I would be interested in feedback on the impact of this change. It's been
proposed for the Mozilla policy but as it's a BR stipulation I thought we
should try here first.
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4964 bytes
Desc: not available
More information about the Public