[cabfpub] Audit of RAs

Wed Nov 7 18:04:04 UTC 2018

I would like to discuss whether unaudited Delegated Third Parties are
permitted under the BRs. My reading of the BRs (combined with what happened
to Symantec) is that unaudited RAs are, at least mildly, frowned upon by the
browsers. However, I think the BRs may be unclear on this point which is
leading to an increased delegation of responsibilities to unaudited third
parties. If there is confusion, could we pass a ballot to rule one way or
another? 

This is not a hypothetical issue as at least two CAs are permitting
unaudited Delegated Third Parties using logic similar to the following:

Section 8.1 - Certificates Only

"Certificates that are capable of being used to issue new certificates MUST
either be Technically Constrained in line with section 7.1.5 and audited in
line with section 8.7 only, or Unconstrained and fully audited in line with
all remaining requirements from this section. A Certificate is deemed as
capable of being used to issue new certificates if it contains an X.509v3
basicConstraints extension, with the cA boolean set to true and is therefore
by definition a Root CA Certificate or a Subordinate CA Certificate"

Note that certificates all covered by the audit, not Delegated Third
Parties. The audit for an R/A is "error: no such audit exists".  As long as
the certificates (ie, the issuing CA) is covered by a WebTrust/ETSI audit,
there is no requirement for the Delegated Third Party to be covered. If I
include the certs validated by the RA in my random sample, then the RA is
effectively covered by the audit.sort of? Assuming the number of certs the
RA issues is small (1000s compared to 1000000s), the chance of a sample cert
appearing in the 3% is small.

Section 8.4 - Inapplicable Audit Schemes 

"For Delegated Third Parties which are not Enterprise RAs,, then the CA
SHALL obtain an audit report, issued under the auditing standards that
underlie the accepted audit schemes found in Section 8.1, that provides an
opinion whether the Delegated Third Party's performance complies with either
the Delegated Third Party's practice statement or the CA's Certificate
Policy and/or Certification Practice Statement. If the opinion is that the
Delegated Third Party does not comply, then the CA SHALL not allow the
Delegated Third Party to continue performing delegated functions."

Again, the issue is the lack of a audit of the RA, which amounts to the CA
giving a statement to the auditor that the RA totally complies with the CA
policies. No real check because the auditor is only looking at the CA, not
the RA. Also, the section refers to 8.1 which covers certificates, not
operations or process. See the previous argument that there is no audit for
RAs, meaning the only check on the RA is the random sample of certificates
reviewed by the auditor. 

Section 8.7 - Overriding the Audit 

This is where the primary  main control and where the override comes from:

Except for Delegated Third Parties that undergo an annual audit that meets
the criteria specified in Section 8.1, the CA SHALL strictly control the
service quality of Certificates issued or containing information verified by
a Delegated Third Party by having a Validation Specialist employed by the CA
perform ongoing quarterly audits against a randomly selected sample of at
least the greater of one certificate or three percent of the Certificates
verified by the Delegated Third Party in the period beginning immediately
after the last sample was taken. The CA SHALL review each Delegated Third
Party's practices and procedures to ensure that the Delegated Third Party is
in compliance with these Requirements and the relevant Certificate Policy
and/or Certification Practice Statemen

So there is a case where Delegated Third Parties are not audited under 8.1.
What are these? The only thing that makes sense are RAs. This means the CA
can take full ownership of all audit and communication to the RA as long as
they look at 3% (and provide the certs to the auditor of they are included
in the audit by the auditor) and review the practices and procedures. This
places all trust in the CA to ensure these entities are compliance. 

1.3.2 - The Exception

This is where the exception comes into play:

With the exception of sections 3.2.2.4 and 3.2.2.5, the CA MAY delegate the
performance of all, or any part, of Section 3.2 requirements to a Delegated
Third Party, provided that the process as a whole fulfills all of the
requirements of Section 3.2. Before the CA authorizes a Delegated Third
Party to perform a delegated function, the CA SHALL contractually require
the Delegated Third Party to: (1) Meet the qualification requirements of
Section 5.3.1, when applicable to the delegated function; (2) Retain
documentation in accordance with Section 5.5.2; (3) Abide by the other
provisions of these Requirements that are applicable to the delegated
function; and (4) Comply with (a) the CA's Certificate Policy/Certification
Practice Statement or (b) the Delegated Third Party's practice statement
that the CA has verified complies with these Requirements.

Under this section, you can bind the RA by contract to meet the policies and
procedures of the CA (which satisfies the CA's requirements under 8.7 to
ensure the delegated third party is operating in accordance with the CA's
CPS)

That's the logic presented. Ie - 8.1 requires an audit, but the CA can
perform the audit. The CA performs the audit by simply putting a contract in
place that the RA will abide by all requirements. The CA still has to audit
a random sample, but you can delegate that to the Delegated Third Party as
well.. 

Thoughts? Can we create a clear statement on whether delegated third parties
are audited or unaudited? 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20181107/385e8379/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20181107/385e8379/attachment.p7s>