[EMAIL PROTECTED] wrote: >> "The end result is that anyone who chooses to spend a hundred thousand >> bucks or so on a single audit can then go around selling the benefit of >> their inclusion in the trust list to the highest bidder without fear of >> repercussion. Which is what they've been doing. And nobody has the balls >> to stand up and say "user security is more important than user >> convenience". (In addition, roots have been sold to other companies, >> which have not passed continuing conformance audits.)" >> > >
The context which leaded to this quote was, that there are various conflicts of interest in the PKI trust model, starting with the CAs which have to maintain a positive cash flow, the browser vendors which must maintain a market share and so forth. Please note that I was quoting somebody else as I tried to explain why people believe that the trust model is broken and feel cheated. But please read on... > 1. The Root is responsible for certs issued by a Sub-CA and are > included in the Root's WebTrust audit. The issuing CA of a root certificate is *supposed* to be responsible for its sub CAs naturally, however as a user of Mozilla software I want to be *assured*, that this is indeed the case. As a member of the Mozilla community I want to make sure, that this is indeed the case, in order to protect the user and give the user the confidence in the software he is using. As a member and employee of a CA I want to make sure that all CAs are competing on the same terms and don't devalue the efforts my employer. Because when one CA misbehaves, all CAs are suffering as you can understand from the quote above, and earning back the trust of the relying party is almost impossible once it's lost. > The EV Guidelines also make this very explicit. I hope that the EV _audit_ guidelines and its auditors actually make sure that this is the case. > Can you identify examples where this is not the case? My job is *not* to find such examples, but to impose the policies, rules and requirements in order to guaranty as much as possible, that such an example never will be identified. At least not here. > If you distrust the WebTrust (or equivalent) standards on this > point, perhaps you should also raise it with the bodies responsible > for them? > The WebTrust organization and its accredited auditors is effectively a monopole. Even here there are conflicting interests. As long as the audit specifications and audits aren't opened to such an extend that any practicing audit firm, no matter from which country, can perform them and are accepted as such, I rather prefer to trust an assertion of the Turkish government than that of WebTrust. The body governing the EV guidelines (CAB Forum) is mainly an interests group of commercial CAs, which isn't really building up the confidence of somebody who has lost the faith in the PKI trust model and in particular in CAs. The only responsible body where I can influence anything of the mentioned above, is the Mozilla Foundation. Here is, where the issues are raised by me and others, because Mozilla is up to some extend responsible for its software and also a community orientated, open organization. Therefore, as you suggested above, this is exactly what we are doing here! But thank you for your advice anyway. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
