I did not mean to imply that the jurat would be the sole document upon
which the MF would add a CA's root to the browser. There will need to
be contract terms to which the CA and MF would agree, and to which the
jurat would be added as an attachment. Such a contract would be the
recourse for recovery of damages, if any, from the CA operator. The
jurat adds the weight of personal responsibility on the part of the
signer.
I also did not mean to imply that the MF should not perform audits;
they are still necessary. However, they may not be necessary in every
case - only when warranted through complaints by RP's. To my mind, an
officer/manager of a CA operator is putting a lot more at risk when they
sign a jurat, than just a contract that does not hold them personally
accountable if the operator deviates from the CP. In fact, self-
preservation is more likely to ensure that they bring violations to the
attention of MF even if others in the company are attempting to cover
them up.
The self-audit template could be a format that is designed to elicit
sufficient information that the MF feels is necessary to engender trust;
so the self-audit will not necessarily be opaque.
Finally, I stand partially corrected on the statement that lying on a
jurat is a felony; it is in the matters of real-estate, but a perjury
otherwise. Section 115.5 (b) of the Penal Code (Notary Public Handbook
at http://www.ss.ca.gov/business/notary/notary_2005hdbk_1stpg.htm) says:
"Every person who makes a false sworn statement to a notary public,
with knowledge that the statement is false, to induce the notary public
to perform an improper notarial act on an instrument or document
affecting title to, or placing an encumbrance on, real property
consisting of a single-family residence containing not more than four
dwelling units is guilty of a felony."
Arshad Noor
StrongAuth, Inc.
David E. Ross wrote:
There are some problems with this concept.
A jurat executed outside of the U.S. by a CA (certificate authority)
operating entirely outside of the U.S. might not be enforceable in U.S.
courts. It might not be enforceable to the extent indicated above in
the courts where the CA operates by a U.S. plaintiff; instead, there
might be only civil penalties for falsely swearing a jurat and no
criminal penalty.
A CA is expected to operate in a manner that does not injure the public.
Providing a criminal remedy against a rougue CA gives little
satisfaction to those suffering financial loss if they cannot recover
the money. A CA that falsely swears a jurat to have its root
certificate included in a browser so that fraud or other crimes can then
be committed will likely leave little to be found for restitution.
In the end, the issue is trust. The public is asked to trust the CA and
the subscriber certificates the CA signs. The first two advantages
listed for the CA above do not inspire trust. Trust is created by the
public exposure of the details of how the CA operates; this is required
by the WebTrust audit criteria. Further, trust is enhanced if a third
party looks at the CA operations because (as I learned during my career
as an independent software test engineer) the "owner" of a process,
system, or enterprise too often is blind to defects.
By the way, in California, falsely executing a declaration being
notarized is the crime of perjury. Perjury is a crime that stands
alone, neither a felony nor a misdemeanor. The penalty is that of a
minor felony, 2-4 years in a state prison. (However, I once heard that
perjury in a capital crime -- where the person falsely convicted is
executed -- is itself a captial crime.) A notary who actively helps
someone else commit perjury has committed a felony.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
