Eddy Nigg has brought up a couple of points that I had not thought of, and I would also point to his messages for issues to be addressed.
I cannot point to any specific roots that have "not kept up their audits". I think this is a red herring, though. It much more telling that "I cannot point to any specific roots which have kept up their audits." This is primarily because I don't know what the rules on 'keeping up their audits' really are. What are the continuing audit requirements? ARE there any continuing audit requirements? How do the audit guidelines for EV differ from the audit guidelines for WebTrust? And where are the audits made public? (Are they made public? If not, what aspects are made public? Are the number of exceptions made public? Would the number of exceptions for each individual point in the CPS be made public?) I suppose one of the larger issues is something like this: "I am a user, and I have seen at least one situation where practice wasn't even realized to have been in violation of the appropriate CPS until after I brought it up. The CPS was updated as a result, since the business needs for the program which allowed the certificates to be issued had clearly outstripped the dedication to the CPS as it existed. As a user, I should not be required to bring up situations like this and have CPS changes made retroactively -- that violated my trust that the CPS is EVER being followed." As Eddy has mentioned, this lack of trust -- this lack of faith -- hurts ALL CAs, not just the one which did this (Thawte, after Verisign bought them). This is primarily because there is no differentiation in the user interface between the different CAs, so any of them screwing up just shows up as "the trust list cannot be trusted". This could probably also qualify as a 'roots have been sold and audits were not kept up' situation. Even if it's not current, the damage has already been done. I don't ever want that damage to happen again, and that's why I keep harping on the same sorry topic. This should have been dealt with YEARS ago. I haven't been shown anything that suggests that my trust or faith in the system should be restored. -Kyle H On Feb 11, 2008 8:20 AM, <[EMAIL PROTECTED]> wrote: > > "The end result is that anyone who chooses to spend a hundred thousand > > bucks or so on a single audit can then go around selling the benefit of > > their inclusion in the trust list to the highest bidder without fear of > > repercussion. Which is what they've been doing. And nobody has the balls > > to stand up and say "user security is more important than user > > convenience". (In addition, roots have been sold to other companies, > > which have not passed continuing conformance audits.)" > > > 1. The Root is responsible for certs issued by a Sub-CA and are > included in the Root's WebTrust audit. The EV Guidelines also make > this very explicit. Can you identify examples where this is not the > case? If you distrust the WebTrust (or equivalent) standards on this > point, perhaps you should also raise it with the bodies responsible > for them? > > 2. Can you identify Roots that have been sold, the new owners have > not kept up their audits, and the Roots are still distributed? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
