In Bug #378882 Eddy Nigg directed me here because of a SubCA audit question: He states that root CAs in mozilla NSS must "Not circumvent the audit requirement set forth by the Mozilla CA policy. This means that the CAs which belong to this PKI and are under this root MUST be part of the audit. CAs themselves can't be the auditors, otherwise all CAs will audit themselves."
That was an answer to a questions to the requirements to T-Systems to get their root accepted. I compared the practices of T-Systems to that of GlobalSign, that offer a service to Enterprise CAs that allows the Enterprise CAs to operate as SubCAs indepependently under the root of GlobalSign: http://eu.globalsign.com/pki/rootsign.htm According to the Info-Gathering-Document in Bug #406794, which covers the renewal of the GlobalSign root, GlobalSign does just do what they shouldn't do according to Eddys comment: They audit external SubCAs themselves, as stated in the bug/info-gathering-document: "[...] As a CA is then run by an enterprise, domains are not technically restricted, however domains are contractually restricted. *GlobalSign* audits periodically as part of our own brand protection program. [...]" [Emphasis added] So isn't GlobalSign doing something here that is very problematic? Thorsten _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
