[cabfpub] Agenda addition request: auditing of Delegated Third Parties

Kirk Hall Kirk.Hall at entrustdatacard.com
Thu Mar 16 15:56:17 UTC 2017 

As of now, we have time on Day 2 - so unless you and/or Peter want to move to Future of PKI, we can book some time.

I think the purpose of an initial discussion will simply be to scope the situation, and not necessarily reach conclusions or goals for the future of PKI - so it seems appropriate for a main session.  But if you decide to move to a PKI breakout session, that's ok too.

-----Original Message-----
From: Public [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham via Public
Sent: Thursday, March 16, 2017 3:20 AM
To: CABFPub <public at cabforum.org>
Cc: Gervase Markham <gerv at mozilla.org>
Subject: [cabfpub] Agenda addition request: auditing of Delegated Third Parties

Hi Kirk and all,

If it's not too late, can we add an additional item to the agenda for the F2F?

The Baseline Requirements, in section 1.3.2 (title: "Registration
Authorities") have the concept of a Delegated Third Party (DTP), to whom some or all of the tasks in section 3.2 (title: "Identity Validation") can be delegated, including the validation of domain ownership. The way this section is worded leads be to believe an RA and a DTP are effectively the same thing; please correct me if that's wrong.

Delegated Third Parties may, but are not required to be audited (see section 8.4). But if they are, those audits are not necessarily required to be disclosed to Mozilla under our current processes because they do not correspond to a particular root or intermediate.

We would like to explore with CAs the impact of tightening the rules in this area, in one of several possible ways, to make sure that audits are always obtained when appropriate, and are always disclosed to root programs.

One possible change is to require all CAs to arrange it so that certs validated by an RA/DTP are issued from one or more intermediates dedicated solely to that RA, with such intermediates clearly labelled with the name of the RA in the Subject. This idea provides a natural point for the CP/CPS and audits of the RA to be monitored in the CCADB, because they would be attached by the CA to the issuing intermediate for that RA.

But there may be other ways of doing this, and we want to make sure we do not impose disproportionate burdens.

Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public

More information about the Public mailing list