|
digitalist posted:So I'm reading through the Globaltrust Certification Policy and, from what I understand it's just suppose to state "what" they do, and the Certification Policy Statement is where they demonstrate how they accomplish the what. I guess it makes it pretty dry reading, is there a matrix somewhere I could compare or check boxes to make sure they're at least covering the necessary bases? another public auditor has hit the thread
|
# ? May 5, 2024 04:35 |
|
|
# ? May 5, 2024 15:59 |
|
Got a lot to learn about this, CPS is actually Certification Practice Statement. RFC 3647 is the document I was looking for, quote:Abstract quote:* The responsibility of a PKI participant to publish information I guess it makes some sense some of those technical controls might not be available, it could be exploited. But it does feel like there's a massive gulf between "we make sure our stuff won't be damaged by water" and information that would enable exploitation. I suppose this is something an audit would look at? It would be nice if they said somewhere under what conditions it would be made available, even if it's only to professional auditing firms. Frequency of audits seems to be specified within the CPS, in globaltrust's case, quote:Audits through external assessors are conducted on principle once a year There were three audits conducted in 2023, https://service.globaltrust.eu/static/conformity-assessment-2023.pdf https://service.globaltrust.eu/static/conformity-assessment-seal-2023.pdf https://www.a-sit.at/wp-content/uploads/2023/05/VIG-23-044_audit-attestation_globaltrust-etsi-2023_final_signed.pdf So from my tiny research session, despite their CPS giving off first year university student writing an essay effort vibes, you could argue it's compliant. Except for the above, almost. By this time last year they had two audits completed, and in a month they will be past the one year mark from their most recent audit. But, the CPS says "annual" and I guess they could get away with an audit conducted in December of 2024, technically it would be annual. Interesting start, will keep poking around but enough for this evening. digitalist fucked around with this message at 06:07 on May 5, 2024 |
# ? May 5, 2024 04:58 |
|
YACPOS your audit compliance is a piece of poo poo
|
# ? May 5, 2024 06:09 |
|
Salt Fish posted:I always had some sense that PKI depending on trusted root CAs was ripe for Bad Things to happen but I didn't expect multiple CAs to have worse security than my grandma's wordpress. in retrospect i shouldn't have been surprised, but i was
|
# ? May 5, 2024 06:48 |
|
digitalist posted:So I'm reading through the Globaltrust Certification Policy and, from what I understand it's just suppose to state "what" they do, and the Certification Policy Statement is where they demonstrate how they accomplish the what. I guess it makes it pretty dry reading, is there a matrix somewhere I could compare or check boxes to make sure they're at least covering the necessary bases? digitalist posted:Fascinating read. Curious to actually get into the meat of the matter, so off I went to find the GLOBALTRUST Certificate Security Policy, shouldn't this be called the Certification Policy Statement? Anyway, then I stumbled on this, which is actually on the first page or so of the Certification Policy document, digitalist posted:Got a lot to learn about this, what you should think when reading these are "these are the self-imposed limitations on creating a certificate, how clear is each section?". honestly i didn't expect you to dig into it that deep or i'd given you a bit more info to start. i've already gave a bunch of questions and head-scratching on bugzilla trying to make sense of the document it's really the deep end of badly written CA docs for anyone who wants to follow along there are the: Baseline Requirements: https://cabforum.org/working-groups/server/baseline-requirements/documents/ - literally the skeleton of what you should be doing in your CP/CPS and your CP/CPS should have wording saying the BR supersedes them when they're wrong Incident Report: https://www.ccadb.org/cas/incident-report - how you should handle an incident report, note 72 hours from being made aware to filing so missing that is another problem Chrome Root Program Policy: https://g.co/chrome/root-policy - oh Chrome does say "an authoritative English language version"... Mozilla's Main CA Page: https://wiki.mozilla.org/CA - Bunch of random info in there Mozilla's Root Store Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ - Most of the policy as... Mozilla Incident Report: https://wiki.mozilla.org/CA/Responding_To_An_Incident - There's the Mozilla incident report building on top of CCADB's minimum Microsoft Trusted Root Program: https://learn.microsoft.com/en-us/security/trusted-root/program-requirements - Basically useless Apple Root Certificate Program: https://www.apple.com/certificateauthority/ca_program.html - Pretty useless too but they do ask for any incident to go directly to them on top of bugzilla Bunch more resources: https://www.ccadb.org/resources Wiggly Wayne DDS fucked around with this message at 12:25 on May 5, 2024 |
# ? May 5, 2024 11:51 |
|
Wiggly Wayne DDS posted:Chrome Root Program Policy: https://g.co/chrome/root-policy Thanks for all this, tempted to put together a « so you want learn how to audit CAs guide » as I go along with all this. Will dig in but one thing I forgot to mention is that on globaltrust’s website I wasn’t able to find an English version of the audit docs, just German. But the CCADB link you posted did link to English versions of those documents. Seems like it’s something you would want on your website but maybe it being available through the CCADB is enough. It’s an interesting process, just pulling on a thread and seeing where it leads.
|
# ? May 5, 2024 13:22 |
|
MononcQc posted:Human health and safety are sometimes the responsibility of government agencies though. yes for sure, and those aspects of agency operation tend to be regulated and audited for business continuity capabilities one of the things they absolutely need to have continuity through is a vendor error, such as a CA accidentally revoking their cert, perhaps I can imagine that some don’t, and discover this when a CA comes to them and says “we misissued this certificate (which is essential to health and safety etc), and we need to revoke”. at that point, if they realize that they can’t rotate in the five day window (!), I would very much expect them to ask for an exception once and then remediate whatever gave them that problem as promptly as possible—with public reports on their completion, because that exception has impacts on WebPKI integrity I would also expect that anyone selling certs as infrastructure for safety-critical functions to make them aware of the possibility that certificates will need to be revoked, and impress upon them the importance of being able to replace them the idea of safety-critical stuff depending on WebPKI is itself pretty worrying, speaking as someone who has had to consider “societal effects” when making decisions about how it is administered. I sort of feel that WebPKI should be declared explicitly as not being suitable for safety-critical applications, since it can’t feasibly provide the levels of reliability and availability that would be (IMO; never audited for it) appropriate for such uses
|
# ? May 5, 2024 15:18 |
|
Subjunctive posted:the idea of safety-critical stuff depending on WebPKI is itself pretty worrying, speaking as someone who has had to consider “societal effects” when making decisions about how it is administered. I sort of feel that WebPKI should be declared explicitly as not being suitable for safety-critical applications, since it can’t feasibly provide the levels of reliability and availability that would be (IMO; never audited for it) appropriate for such uses The time delay is worrying especially for slow moving organizations like governments. I know from past jobs that a government ministry wanting to change certificate providers, for example, would take at least 6-12 months because of procurement/public offer regulations. Maybe there's an exception in there somewhere for emergencies, I would have trouble conceiving of that not existing, but yeah, something I feel compelled to check out now.
|
# ? May 5, 2024 15:45 |
|
|
# ? May 5, 2024 15:59 |
|
another option is to work with multiple CAs, ideally for certs with out-of-phase lifetimes, so that if something fucks up with one CA you’re ready to go on your “hot spare”. you can also run replacement drills between the cert sets at low risk because if you miss one it’s still got something valid while you clean up that’s how all the tech majors run, because FB’s web certs getting blown away literally stops the business (as has happened a couple of times for short time periods)
|
# ? May 5, 2024 15:56 |