[cabfpub] Changing numbers of self-audited certificates

Jeremy Rowley jeremy.rowley at digicert.com
Wed Jun 7 20:54:49 UTC 2017

The audits are more deficient than just the minimum number. If a CA issues a
million certs to one customer, the entire 3% audit will be that single
customer. If that system is automated, all other customers and systems are
effectively masked.  I haven't figured out to expand the audit requirement
though. Perhaps a minimum that is something along the lines of the greater
of 3% of certificates with a unique profile and five cert? An alternative is
3% of certificates with a unique base domain?

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase
Markham via Public
Sent: Tuesday, June 6, 2017 4:47 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [cabfpub] Changing numbers of self-audited certificates

Currently, the BRs define, in section 8.7, the parameters for self-audits
and audits of certificates below a TCSC. At the moment, the number of certs
randomly chosen to be audited is defined as "the greater of one certificate
or at least three percent of the Certificates issued".

I think that auditing just a single certificate (which is currently OK up
until 33 are issued) makes it too easy to overlook problems when volumes are
small. I propose instead a 5-certificate minimum, or 3%, whichever is
larger. In other words:

Issued Audited
0      0
1      1
5      5
6      5
166    5
167    6

We could just change the "one" to a "five" if people thought it was obvious
that if you've issued less than five, you just audit all of them. Or we
could expand the text a bit to explicitly describe that.

I would be interested in feedback on the impact of this change. It's been
proposed for the Mozilla policy but as it's a BR stipulation I thought we
should try here first.

Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170607/eef40f5b/attachment-0001.p7s>

More information about the Public mailing list