> "The end result is that anyone who chooses to spend a hundred thousand > bucks or so on a single audit can then go around selling the benefit of > their inclusion in the trust list to the highest bidder without fear of > repercussion. Which is what they've been doing. And nobody has the balls > to stand up and say "user security is more important than user > convenience". (In addition, roots have been sold to other companies, > which have not passed continuing conformance audits.)"
1. The Root is responsible for certs issued by a Sub-CA and are included in the Root's WebTrust audit. The EV Guidelines also make this very explicit. Can you identify examples where this is not the case? If you distrust the WebTrust (or equivalent) standards on this point, perhaps you should also raise it with the bodies responsible for them? 2. Can you identify Roots that have been sold, the new owners have not kept up their audits, and the Roots are still distributed? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
