[Servercert-wg] Ballots SC20 and SC21
Tobias S. Josefowitz
tobij at opera.com
Thu May 30 16:44:49 MST 2019
On Thu, 30 May 2019, Tobias S. Josefowitz wrote:
> On Thu, 30 May 2019, Ryan Sleevi via Servercert-wg wrote:
[...]
>> As noted, the math here shows the worst case is now the 'minimum'
>> requirement under this proposal. The existing requirements, while sharing
>> the 'worst' case, have a significantly better 'best' case, which is more
>> auditable as such.
>
> Well, except, how do you systematically *not* detect an issue in your
> configuration for six days? If you have to detect within seven days, I would
> suppose you have to check ... within seven days, i.e. at least weekly, and
> once you detect, you detected.
Ryan, is it in fact possible that you intepret 1h to mean that CAs should
review configuration changes they make intentionally/knowingly and within
their regular processes?
The interpretation underlying SC20, at least as far as I am concerned, is
that the objective is to first and foremost detect configuration changes
that somehow "sneaked in", i.e. a software update changing configuration
(would likely leave the changed config in violation of policy), staff not
following the CAs internal process (really should be a policy violation),
rogue staff (hopefully really would also be a violation of a CA's
policies) or outright adversarial action (also, hopefully, against policy
in and by itself).
More information about the Servercert-wg
mailing list