This is a revised version of my initial questions concerning the Comodo inclusion and upgrade requests. I've updated the sections which received a response from Frank and are solved from my point of view and added some more content where deemed necessary.
1.) The audit report for non-EV operations refers to the CA operation at Manchester. The audit report for EV refers to the CA operations at New Jersey. One of the roots is from a company operating in Sweden, one operating in Salt Lake City, Utah, USA and and one of Salford, GB. Can the relations between these locations and the general operation of Comodo and the audit reports be explained? Additionally I would like to know to whom belongs the company LITESSL CA, INC. and its relationship to Comodo CA Ltd. as referenced in the audit report from KPMG (https://cert.webtrust.org/SealFile?seal=636&file=pdf). What are its relations to AddTrust AB, Sweden? In the audit reports no distinctions are made between the various companies and the audit reports are addressed only to Comodo CA Ltd. 2.) The Comodo Certification Practice Statement, Version 3.0 and other CPS amendments state that wild card certificates are domain name validated only (depending on product or trade mark). How does Comodo prevent or control misuse of wild card certificates, specially in relation to phishing attempts and other fraud, taking into consideration that these certificates are domain validated only? Does Comodo believe that such wild card certificates are issued according to verification requirements for this special type of certificates? 3.) The Comodo Certification Practice Statement, Version 3.0 and other CPS amendments state certificate validity of up to ten years and beyond. I couldn't find any provision in case the domain name expires. It isn't clear what happens if an identity or organization changes name, changes address, stops its operation, dies etc. How does Comodo guaranty the validity of these certificates throughout their lifetime? 4.) Frank, this one is for you: Since most (if not all) CA root certificates of Comodo were inherited from the Netscape era and never were properly evaluated by an inclusion process and in light of the questions above, isn't a thorough review of this CA in place in order to guaranty conformance to the Mozilla CA policy? Because an upgrade to EV would tie this CA further into NSS I believe that such a review should be performed prior to any other step. I haven't invested a lot of time into this request initially (as I haven't for other upgrade requests for EV during the comments period), but raised enough questions which might justify such a review. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
