Policy-Discussion

["Peter Williams" <home_pw AT msn.com>]

> -----Original Message-----
> From: Ian Grigg 
> [mailto:iang AT systemics.com]
> Sent: Monday, July 25, 2005 3:26 PM
> To: 
> cacert-policy AT lists.cacert.org
> Cc: Peter Williams
> Subject: Re: [CAcert-Policy] What's the name for?
> 
> On Sunday 24 July 2005 04:22, Peter Williams wrote:
> > If one is prepping for an audit, its worth constructing our own tests in
> > certain area - areas that any auditor is likey to construct tests:
> 
> 
> Hmm... Are you essentially proposing that CACert
> conduct its own audits inhouse?

Of course. Isn't this a normal process for a CA?... to constantly measure
the quality of the operations when performing the policy?.. to constantly
measure response time for the (pretend) compromise cases?.. to address the
nasty questions like prep for trusted employee resignations, respond to govt
covert access to keys, etc, assume the earthquake hits so one fires up the
cold standby servers, address a sub poena when it arrives, etc. etc. I.e.
All the TTP activities, that have little to do with operating a cert minting
box.

One preps (prepares) for the examination phase of attestation-grade third
party audit by going through (internally) the motions of any CPA-style audit
process. As third party auditors examination process tend to cost money by
the minute, its worth making the effort to test oneself, and get used to a
record-based testing regime, and get good at it. If you cannot find the
records yourself when you are relaxed, its even harder when someone is
watching whether (a) you can accomplish the tasks (b) whether you seem to
know what you are doing and can show records of having done it before (b)
which others you interact with and on whom you depend, to see how they
perform when the particular test is performed, unannounced.

If the policy doc says that no proof of possession of the private key is
checked, but in reality its happening, but the policy writer didn't know
this fact, one worries that fundamental business controls are not in effect.
That is "management" is not "in control" of the security policy which
ensures the TTP's claims - in its business disclosures to the public - are
true.

A (CPA-grade) CA audit has little to do with firewalls, not too much to do
with crypto really, and lots to do with showing one has adopted the posture
of a TTP. Passing a CA audit is quite similar to passing a VISA audit, for a
bank trying to hook up its payment authorization systems to VISANet, by
operating a VAP server.

> 
> > ....  A public CPA is really making
> > a public representation after all: is the organization really "trying"
> to
> > meet the public's expectations, when assigning their trust!
> 
> 
> The standard for a CA audit seems to be way below
> that.  From discussions on this I've seen related to
> the Mozilla project to identify how to accept new CAs,
> the purpose of the CA audit is more or less to check
> that the CA is doing what it says it is doing.

In non-Mozilla regimes, the criteria and the principles are set according to
wider assurance principles, not dissimilar to those used to get confidence
in financial accounts. The visa analogy is really proper here.

The fun is going to be to see whether
(a) Mozilla defines its own criteria (given the WebTrust Criteria are
copyright and can only be (legally) used by specially licensed CPAs who must
share the data gathered on CA audits)
(b) whether Mozilla allows CAs to define their OWN evaluation criteria
(c) whether Mozilla or the CA shall prove that the criteria actually used
are "equivalent" to WebTrust (for those root lists that use Webtrust as the
gating function)
(c) whether being a member of Mozilla trust list means anything to the
public (other than you are a member of the FSF community.)

Lets recall, at the end of the Netscape era, being a member of the Netscape
trust list was essentially a question of paying money. I understand many of
the Linux distributions operate on the same principle, today.

I've good reasons to believe that, in contrast, Microsoft requires an
attestation from a CPA (or equiv person skilled in audit techniques) that is
equivalent in criteria and principles to the WebTrust criteria and
principles. As far as I know, no money passes hands for the privilege of
joining their list. Rather, they prefer you spend the money on a public
accountant who is pledged to work for, and respected as working for, the
public good when issuing an attestation upon which the public is expected to
rely.
 
> iang
> --
> Advances in Financial Cryptography, Issue 2:
>    https://www.financialcryptography.com/mt/archives/000498.html
> Mark Stiegler, An Introduction to Petname Systems
> Nick Szabo, Scarce Objects
> Ian Grigg, Triple Entry Accounting