[Servercert-wg] Ballots SC20 and SC21

Tobias S. Josefowitz tobij at opera.com
Fri May 31 10:17:07 MST 2019


I am a little short on time, so please allow me to cherry-pick one thing 
first that I think would really help me understand - I am also quoting 
very selectively because of that:

On Fri, 31 May 2019, Ryan Sleevi wrote:

> On Thu, May 30, 2019 at 5:42 PM Tobias S. Josefowitz <tobij at opera.com>
> wrote:
>
> The current language is inclusive of all systems and changes. A failure to
> achieve that thus rests with the CA.
>
> The current language is functionally inclusive. All the enumerated systems
> are in scope, and if a CA fails to review such a configuration, the CA has
> violated the NetSec requirement.
>
> The proposed change weakens that, without any room for debate.
>
>> To whoever would be tasked to perform an audit.
>>
>
> Right, and that's a problem, because the information provided by the audit
> does not include the scope; neither the CA's materials nor the assessment
> report include this. As a consequence, I, as a relying party, cannot be
> confident that the sole security relevant system determined by the CA is
> their router, which would be a wholly valid under the proposed language.
> The auditor's fiduciary duty (in the case of WebTrust) or regulatory duty
> (in the context of ETSI) is to the customer and/or supervisory body, and we
> know this can be, has been, and likely is being gamed.

But is it not the case that all a CA would have to say currently is "Hi 
Ryan, hi $auditor, meet Hans. Hans reviews our configurations weekly. He 
pinky-swears."? Sure, saying this would not technically make them 
compliant, but how do you even go about that distinction?


More information about the Servercert-wg mailing list