Hi Eddy. I'm not the right person to answer your questions about our CPS. I have asked my colleague Robin Alden to join this newsgroup and answer each of your points.
On Sunday 16 March 2008, Eddy Nigg (StartCom Ltd.) wrote: > This is a revised version of my initial questions concerning the Comodo > inclusion and upgrade requests. I've updated the sections which received > a response from Frank and are solved from my point of view and added > some more content where deemed necessary. > > 1.) The audit report for non-EV operations refers to the CA operation at > Manchester. The audit report for EV refers to the CA operations at New > Jersey. One of the roots is from a company operating in Sweden, one > operating in Salt Lake City, Utah, USA and and one of Salford, GB. Can > the relations between these locations and the general operation of > Comodo and the audit reports be explained? > > Additionally I would like to know to whom belongs the company LITESSL > CA, INC. and its relationship to Comodo CA Ltd. as referenced in the > audit report from KPMG > (https://cert.webtrust.org/SealFile?seal=636&file=pdf). What are its > relations to AddTrust AB, Sweden? In the audit reports no distinctions > are made between the various companies and the audit reports are > addressed only to Comodo CA Ltd. > > 2.) The Comodo Certification Practice Statement, Version 3.0 and other > CPS amendments state that wild card certificates are domain name > validated only (depending on product or trade mark). How does Comodo > prevent or control misuse of wild card certificates, specially in > relation to phishing attempts and other fraud, taking into consideration > that these certificates are domain validated only? Does Comodo believe > that such wild card certificates are issued according to verification > requirements for this special type of certificates? > > 3.) The Comodo Certification Practice Statement, Version 3.0 and other > CPS amendments state certificate validity of up to ten years and beyond. > I couldn't find any provision in case the domain name expires. It isn't > clear what happens if an identity or organization changes name, changes > address, stops its operation, dies etc. How does Comodo guaranty the > validity of these certificates throughout their lifetime? > > 4.) Frank, this one is for you: > > Since most (if not all) CA root certificates of Comodo were inherited > from the Netscape era and never were properly evaluated by an inclusion > process and in light of the questions above, isn't a thorough review of > this CA in place in order to guaranty conformance to the Mozilla CA > policy? Because an upgrade to EV would tie this CA further into NSS I > believe that such a review should be performed prior to any other step. > I haven't invested a lot of time into this request initially (as I > haven't for other upgrade requests for EV during the comments period), > but raised enough questions which might justify such a review. -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
