[cabfpub] Agenda addition request: auditing of Delegated Third Parties

Gervase Markham gerv at mozilla.org
Thu Mar 16 10:20:18 UTC 2017


Hi Kirk and all,

If it's not too late, can we add an additional item to the agenda for
the F2F?

The Baseline Requirements, in section 1.3.2 (title: "Registration
Authorities") have the concept of a Delegated Third Party (DTP), to whom
some or all of the tasks in section 3.2 (title: "Identity Validation")
can be delegated, including the validation of domain ownership. The way
this section is worded leads be to believe an RA and a DTP are
effectively the same thing; please correct me if that's wrong.

Delegated Third Parties may, but are not required to be audited (see
section 8.4). But if they are, those audits are not necessarily required
to be disclosed to Mozilla under our current processes because they do
not correspond to a particular root or intermediate.

We would like to explore with CAs the impact of tightening the rules in
this area, in one of several possible ways, to make sure that audits are
always obtained when appropriate, and are always disclosed to root programs.

One possible change is to require all CAs to arrange it so that certs
validated by an RA/DTP are issued from one or more intermediates
dedicated solely to that RA, with such intermediates clearly labelled
with the name of the RA in the Subject. This idea provides a natural
point for the CP/CPS and audits of the RA to be monitored in the CCADB,
because they would be attached by the CA to the issuing intermediate for
that RA.

But there may be other ways of doing this, and we want to make sure we
do not impose disproportionate burdens.

Gerv



More information about the Public mailing list