Eddy Nigg (StartCom Ltd.) wrote: > As I have mentioned previously on this list and in private, for various > reasons I'd like to suggest to change the procedures and the process of > CA root requests to require an official request made by the CA in real > paper by registered postal mail, which would include the most important > details of the CA, the x.509 certificate and fingerprints (in paper) and > the attestation of the auditor in original form (the later could be > returned to the CA after scanning and copying). The audit papers could > be attached to the bug eventually... > > There are various reasons for this in my opinion, being it from a legal > point of view and as a way to verify the keys and audits accordingly. I > think it's less than sufficient to point to some web site which has a > vague description about what the audit may or may not have entailed (if > at all). *Who, when, where* and most important *what* has been signed? > What does it confirm and what not?
I agree that the questions you asked are the important ones to be answered. And I think Mozilla should require that the answers come straight from the auditor/accreditor, and NOT from the CA itself, as accepting papers from the CA provides too much temptation to forge such documents. But, How does paper improve this? Is it a matter is persistence, i.e. that Mozilla can rely on the papers even if the auditor's web site goes down? I would rather rely on a page from the auditor's web site than from papers received from the CA, purporting to be from the auditor! /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
