Michael Ströder wrote: > > From project experience I can confirm that it's exactly like what Kyle > suspects. I won't mention names but bringing your CA certs into MS IE > and the Mozilla products is simply a cash cow. Nothing else. In the > cases I know no audits were conducted on sub-CAs by the root CA people, > not even simple reviews of the sub CA's CPS. > > We must differentiate here a little bit. First of all, there are the certificate issued under the EV guidelines and the ones which are not. There are also differences, for example if the sub ordinated CA is operated by the root CA itself or by a legally and physically independent entity. It's important, if the root CA has a policy which covers those sub CAs or if the sub CA implements its own policies.
According to the changes/additions which I proposed to the Mozilla policy, a CA must in any case implement a policy and reasonable control over the sub CAs. This would cover obviously sub CAs which are maintained by the root *and* external ones. For EV I think it's appropriate that any external entity has undergone an audit (as if its a root itself). Frank thinks that the EV audit guidelines covers that already. Now, if you have knowledge of sub ordinated CAs which operates not according to the principal above I suggest you forward this information even anonymously to the list or to any one of us. We could examine the information and decide which necessary steps should be performed. You shouldn't hold back such information, should you really know about it. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
