Eddy,
I'm sorry I haven't got around to answering your questions until
now.
You wrote:
> 1.) The audit report for non-EV operations refers to the CA operation at
> Manchester. The audit report for EV refers to the CA operations at New
> Jersey. One of the roots is from a company operating in Sweden, one
> operating in Salt Lake City, Utah, USA and and one of Salford, GB. Can
> the relations between these locations and the general operation of
> Comodo and the audit reports be explained?
The WebTrust Audit covers most aspects of our operation as a CA. The
auditors visit any part of our operation which they deem to be involved in
our CA operation.
The Manchester office is our UK based validation operation. It handles both
EV and OV validation.
The New Jersey office is our US based validation operation. It too handles
both EV and OV validation.
We have one more validation operation which handles OV validation only and
which is also audited each year as part of the webtrust audit.
The AddTrust root was purchased by Comodo from the ScandTrust organization
in Malmö, Sweden. They had acquired the root (and continued the protection
of the key material, etc.) when they took over the AddTrust operation.
The four UserTrust roots became available to Comodo when UserTrust became a
Comodo Group Company.
In both of the above cases the key material was removed from its original
sites of operation (in Sweden and Salt Lake City, respectively) and
trafserred into Comodo's data centres and backup centres.
The roots you see with Comodo's name in, or mentioning a Salford address,
are roots for which we have generated the keys ourselves.
As to your request to "refrain from further advancing of their
inclusion/upgrade request" - well, I'd rather answer the questions in this
forum, if possible.
Regards
Robin Alden
Comodo CA Limited.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Eddy Nigg
(StartCom Ltd.)
Sent: 24 March 2008 02:38
To: Frank Hecker
Cc: dev-tech-crypto@lists.mozilla.org
Subject: Re: Comodo request for EV-enabling 3 existing roots
Frank Hecker:
> This is a followup to my previous message about Comodo's application to
> add a new EV root CA certificate. Comodo also has requested enabling
> three existing roots, AddTrust External CA Root, UTN - DATACorp SGC, and
> UTN-USERFirst-Hardware, for EV use, and also marking all three roots for
> SSL, email, and code signing use, as documented in the following bug:
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=401587
>
> and in the pending certificates list:
>
> http://www.mozilla.org/projects/security/certs/pending/#Comodo
>
> I have evaluated this request, as per the mozilla.org CA certificate
policy:
>
> http://www.mozilla.org/projects/security/certs/policy/
>
> and plan to officially approve the request after a public comment period.
>
The public comment period is officially up and I'd like to make the
following statement:
In light of Franks entry at bug
https://bugzilla.mozilla.org/show_bug.cgi?id=401587#c20 NOTE #2 [1]
- and due to the fact that Comodo hasn't replied to most
questions/inquiries;
- and due to the fact that Comodo has a high market share (second in
size as claimed by Comodo themselves) and hence the risks for Mozilla
and its users might be of a much bigger scale [2];
- and due to the fact that I have found reasons enough to believe that
their low-assurance certification might present a risk to Mozilla and
its users , specially also because I haven't received sufficient answers
or none at all, to refute my findings;
I suggest the following at this stage:
Adding an entry at the bug that
- requests officially a statement and answering of the issues which have
been raised [3];
- request to actively address the issues which are deemed to be a risk
for Mozilla and its users after receiving their answers and after
evaluating them;
and refrain from adding and/or updating their CA certificates at NSS
until we have reasons enough to believe that all issues have been solved
to our satisfaction, specially also because all their roots issue any
type of certificates from DV to EV, hence separation isn't possible at
this stage
and refrain from further advancing of their inclusion/upgrade request
(of the others roots which are potentially up for upgrade to EV status).
[1] Although all these roots are already in NSS, in the interests of
thoroughness I'll repeat all the evaluation steps as if they were new roots.
[2] Success also brings with it greater responsibilities, which is
specially true for this industry.
[3] I'd be glad to gather all the points raised and summarize and
formulate them for this task if this is of any help.
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
