timfromdigicert
commented
1 year ago Note that for the first definition, the first part is pretty good, but then it uses weasel words to basically contradict everything in the clear first half.
Open timfromdigicert opened 1 year ago
timfromdigicert
commented
1 year ago Note that for the first definition, the first part is pretty good, but then it uses weasel words to basically contradict everything in the clear first half.
XolphinMartijn
commented
1 year ago It has been noted internally that our CA Product Manager assists with issuance, is part of a CA, and performs certain management functions. Is he an RA?
No, because I would argue he is not a Legal Entity.
Having said that, I agree with you. The second part seems to contract the first part in some ways.
I would guess this was written in a time before there was WebTrust for RAs. Should this definition be closer related to an audited entity?
It seems we already have a carveout definition for Enterprise RA, so that should not be any direct issue (But lets make sure it's not)
BenWilson-Mozilla
commented
1 year ago "RA" has always been a generic term for a subset of CA functions that are often delegated. See sections D.1.3.1 and D.1.3.2 of the PKI Assessment Guidelines, which I can provide, or can be found here https://theworld.com/~goldberg/pagv30.pdf or here https://tglassey.files.wordpress.com/2018/05/pagv30.pdf.
timfromdigicert
commented
1 year ago Yes, I'm aware that this level of vagueness is historical and traditional. I'm just arguing that it's also undesirable :)
ryancdickson
commented
1 year ago Another consideration for this update, whenever it takes place --- it also seems there’s room for improvement in defining “enterprise RA” and "delegated third party" (functionally introduced in 1.3.2 "Registration Authorities").
Definitions from the BRs:
Delegated Third Party: A natural person or Legal Entity that is not the CA but is authorized by the CA, and whose activities are not within the scope of the appropriate CA audits, to assist in the Certificate Management Process by performing or fulfilling one or more of the CA requirements found herein.
Enterprise RA: An employee or agent of an organization unaffiliated with the CA who authorizes issuance of Certificates to that organization.
Interpretation:
Intended outcome: Improve clarity and more explicitly represent the relationship between these roles (and expected audit coverage).
bcmorton
commented
1 year ago I think the Enterprise RA role is really limited to it definition of authorizing issuance of certificates. The text in section 1.3.2 is about how the CA decides the certificate has a domain, the Enterprise RA can approve issuance. Section 8.4 does not require monitoring or audit.
In addition, the BRs define Applicant Representative: A natural person or human sponsor who is either the Applicant, employed by the Applicant, or an authorized agent who has express authority to represent the Applicant: i. who signs and submits, or approves a certificate request on behalf of the Applicant, and/or ii. who signs and submits a Subscriber Agreement on behalf of the Applicant, and/or iii. who acknowledges the Terms of Use on behalf of the Applicant when the Applicant is an Affiliate of the CA or is the CA. This role can approve a certificate request, so really approve certificate issuance. The other references tie the Applicant Representative to certificate requests. There are no monitoring or audit requirements.
So why do we have two different Subscriber roles who can approve certificate issuance, but have different terms in how they will be used?
In both cases the Enterprise RA and the Applicant Representative are not RAs as defined in the BRs, are not performing tasks delegated by the CA, so are not Delegated Third Parties.
So agree, we need to improve clarity and also simplify if we can.
barrini
commented
3 months ago Move to the Definitions&Glosary WG
Baseline requirements: "Registration Authority (RA): Any Legal Entity that is responsible for identification and authentication of subjects of Certificates, but is not a CA, and hence does not sign or issue Certificates. An RA may assist in the certificate application process or revocation process or both. When “RA” is used as an adjective to describe a role or function, it does not necessarily imply a separate body, but can be part of the CA."
RFC 5280: "registration authority, i.e., an optional system to which a CA delegates certain management functions;"
These definitions are so broad as to be practically meaningless. It has been noted internally that our CA Product Manager assists with issuance, is part of a CA, and performs certain management functions. Is he an RA? If we're going to write requirements for RAs, a good first step would be defining what one actually is.