More questions for Comodo:
Specifically to the CPS at
http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf
2.4.3 a) section for code signing certificates refers to section 4.2.1
(Validation Practices)
Going to section 4.2.1:
- Unlucky formulation of "4.2.1 Secure Server Certificates Validation
Process" (Code Signing versus Server Certs).
- Subsection 1 doesn't apply I guess.
- Subsection 2 says:
The applicant is an accountable legal entity, whether an
organization or an individual.
• Validated by requesting official company documentation, such as
Business License, Articles of Incorporation, Sales License or other
relevant documents.
• For non-corporate applications, documentation such as bank statement,
copy of passport, copy of driving license or other relevant documents.
Further it says:
The above assertions are _*reviewed through an automated process*_,
manual review of
supporting documentation and reference to third party official
databases.
Scrolling further down to 4.2.8 (applies to Code Signing Certificate /
Time Stamping Certificate):
Code Signing Certificates and Time Stamping Certificates are
processed by a Comodo validation officer in accordance with the
process outlined in section 4.2.1 of this CPS.
OK, I was at 4.2.1 already, Comodo received and reviewed the material
received and referenced to third party sources.
Comodo may employ the data held by IdAuthority to expedite the
validation process. _*If application data matches the records*_ held
by IdAuthority, _*manual validation intervention is not required*_.
In the event that the application data does not match the
pre-validated records, the application is processed manually by a
Comodo validation officer in accordance with the process outlined in
section 4.2.1 of this CPS.
Again I'm pointed to 4.2.1...
IdAuthority = "contains records of over 5 million unique legal entities
sourced from a combination of publicly available resources. Where
possible, _*the directory will be used to confirm the identity of a
certificate applicant*_. If the directory cannot be used to sufficiently
validate a certificate applicant, further validation processes will be
used. These may include an out of bands validation of the applicant’s
submitted information."
I'm missing here an important step in these validation procedure. Can
Comodo explain how it establishes the connection between the applicant
and the documents received on one side and through its automated
process, its own database of information and third party databases on
the other side? Please point me to the exact reference in the CPS since
I most likely missed it.
(Please note that "Code Signing" serves as an example and may apply to
other types of certificates as well according to the CPS).
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
