Paul Hoffman:
There is also a policy question of whether or not Entrust's CPS says
what cross-signing means in a way that both we and the auditors can
understand. On its face (without having read the documents), I think
it sounds pretty shaky to have a CA saying "you can trust that other
CA to do the right thing because you trust us to do the right thing"
when there is no easy financial chain of trust we can follow.
Apparently from the facts we know, that the cross-signed CA isn't bound
to the Mozilla policy requirements, no matter what their own policy
says. We certainly can't trust a cross-signing scheme where the very
basics of said policy isn't enforced. Cross-signing would also imply
cross-auditing, no? And cross-responsibility (e.g. Entrust is
responsible for the actions of DigiNotar)? And have the the affected
cross-signing trust bits removed?
(Just for the record, DigiNotar never claimed that they verify email
addresses and this is fine with me as long as the email trust bit is set
to false. Certainly not blaming DigiNotar, but Entrust should have known
otherwise!)
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
