[Servercert-wg] Ballots SC20 and SC21
Tobias S. Josefowitz
tobij at opera.com
Fri May 31 10:17:07 MST 2019
I am a little short on time, so please allow me to cherry-pick one thing
first that I think would really help me understand - I am also quoting
very selectively because of that:
On Fri, 31 May 2019, Ryan Sleevi wrote:
> On Thu, May 30, 2019 at 5:42 PM Tobias S. Josefowitz <tobij at opera.com>
> The current language is inclusive of all systems and changes. A failure to
> achieve that thus rests with the CA.
> The current language is functionally inclusive. All the enumerated systems
> are in scope, and if a CA fails to review such a configuration, the CA has
> violated the NetSec requirement.
> The proposed change weakens that, without any room for debate.
>> To whoever would be tasked to perform an audit.
> Right, and that's a problem, because the information provided by the audit
> does not include the scope; neither the CA's materials nor the assessment
> report include this. As a consequence, I, as a relying party, cannot be
> confident that the sole security relevant system determined by the CA is
> their router, which would be a wholly valid under the proposed language.
> The auditor's fiduciary duty (in the case of WebTrust) or regulatory duty
> (in the context of ETSI) is to the customer and/or supervisory body, and we
> know this can be, has been, and likely is being gamed.
But is it not the case that all a CA would have to say currently is "Hi
Ryan, hi $auditor, meet Hans. Hans reviews our configurations weekly. He
pinky-swears."? Sure, saying this would not technically make them
compliant, but how do you even go about that distinction?
More information about the Servercert-wg