[Servercert-wg] Audit Model Proposals

Wed Aug 18 02:20:52 UTC 2021

Hi David,

Thanks for sharing the perspective of the Cloud Services subgroup.

Just to make sure: This is a subgroup of the Network Security subcommittee,
right? Could you share more about how this group's work fits within the
remit of Ballot SC10
<https://cabforum.org/2018/10/04/ballot-sc-10-establishing-the-network-security-subcommittee-of-the-scwg/>?
I ask, because one of the points that repeatedly came up during the
balloting of this Subcommitee was wanting to ensure the scope was
appropriately limited from scope creep, and clear deliverables to inform
next steps. This appears to be a bit of a scope creep, and so it's perhaps
useful to revisit how these activities fit together, given the primarily
deliverable was a risk analysis and threat model to justify further changes.

On Tue, Aug 17, 2021 at 4:06 PM David Kluge via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> Audit Model Proposals
>
> Model 1 – Direct audit: third party controls included in CA audit
>
> The CA’s auditor includes third parties into the CA’s audit report.
> Control testing at the third party is performed by the CA’s auditor
> directly. This model assumes that the CA has some control over the CSP and
> that no changes to the NSRs will be needed.
>
Correct, this is the current (longstanding) expectation.

It's not clear that there are benefits (to browsers and users) for Model 2
or Model 3 that justify the significant risk both approaches provide. We
have ample, demonstrable evidence of the failures with respect to Model 2
and Subordinate CAs and Delegated Third Parties, and it would be
unthinkable to promulgate this model further, given the failures seen.

Model 3 is functionally proposing two different models - 3.1 reported to
browsers (which is closer in spirit to Model 4) and 3.2 reported to CAs
(which is closer in spirit to Model 2)

Given that Model 2 is unacceptable for new work, this basically leaves
Model 4, which it seems that the Cloud Services subgroup has concerns
about. This similarly seems to reflect the concerns raised during the F2F
around such a model and the complexity-to-value tradeoff for root programs.

As such, it does seem like Model 1 remains the only viable path for the
near-to-medium term, and focusing on what the Network Security subcommittee
was chartered to deliver, seems like a good path forward to continuing the
conversation. Alternatively, if the NetSec subcommittee would like to
propose a recharter, given the lack of progress on these long-standing
deliverables, then that's certainly something to discuss, but it may be
useful to review some of the historic conversation that lead to the present
charter.

I understand there is some excitement, for some CAs, in pursuing a path of
cloud services, but the risks here, as a browser member, are substantial,
and the value proposition is, at best, questionable. The relationship
between a Root Program and a CA reflects the CA being a valued service
provider that acts on behalf/provides a service to a Root Program, as
captured in the design of documents such as RFC 3647 or the ABA's PKI
Assessment Guidelines that would inspire WebTrust. Presently, the explicit
and expressed expectation of Root Programs is a direct relationship with
all parties involved in that fulfillment of service, to ensure that the
necessary security objectives are met. The introduction of cloud services
into this mix poses substantial new and additional risks, and risks that
are potentially atypical than might be found in other vendor/supplier
relationships, and thus continues to warrant special scrutiny and concern.

I hope none of this comes as a surprise to the Network Subcommittee
members, given how long this specific topic has been discussed. For
example, the F2F 41 in Berlin in 2017 discussed precisely this point, with
respect to the models you're proposing, with the conclusion being Model 1
is the expectation. This also matched the creation of the precursor for the
Network Security Subcommittee of the Server Cert Chartered Working Group -
the Network Security Working Group - so it's not that there is particularly
new information here relevant to the previous discussion, in
https://cabforum.org/2017/06/21/2017-06-21-f2f-minutes-meeting-41-berlin/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/servercert-wg/attachments/20210817/fd761800/attachment.html>