Eddy Nigg (StartCom Ltd.) wrote: > [EMAIL PROTECTED] wrote: >> 1. The Root is responsible for certs issued by a Sub-CA and are >> included in the Root's WebTrust audit. > > The issuing CA of a root certificate is *supposed* to be responsible for > its sub CAs naturally, however as a user of Mozilla software I want to > be *assured*, that this is indeed the case.
There is no way to assure that even in the case of EV certs. IMO EV is just marketing, yet another cash cow with even higher prices per cert. > As a member of the Mozilla community I want to make sure, that this > is indeed the case, in order to protect the user and give the user > the confidence in the software he is using. No way. IMO you don't have a chance to detect violations of the policy even for the root CAs. > As a member and employee of a CA I want to make sure that all CAs > are competing on the same terms and don't devalue the efforts my > employer. In practice every employee of a CA is made to lower the bar by his management because others do it as well. Then EV was invented as a higher level of trust. I wonder why there was a need for this if the CAs already did a good job before? > Because when one CA misbehaves, all CAs are suffering as you can > understand from the quote above, and earning back the trust of the > relying party is almost impossible once it's lost. Well, the relying party is the weakest piece in this puzzle. PKI business suffers because the RPs don't care. >> The EV Guidelines also make this very explicit. > > I hope that the EV _audit_ guidelines and its auditors actually make > sure that this is the case. Good luck. >> Can you identify examples where this is not the case? > > My job is *not* to find such examples, but to impose the policies, rules > and requirements in order to guaranty as much as possible, that such an > example never will be identified. At least not here. Maybe you should rather think about how to clearly refuse giving guarantees and deny any warranties in your Mozilla policy. ;-} > The only responsible body where I can influence anything of the > mentioned above, is the Mozilla Foundation. Eddy, thanks for doing this work. Again: Good luck. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
