On Tue, Aug 26, 2008 at 3:24 AM, Thorsten Becker <[EMAIL PROTECTED]> wrote: > In Bug #378882 Eddy Nigg directed me here because of a SubCA audit > question: He states that root CAs in mozilla NSS must "Not circumvent > the audit requirement set forth by the Mozilla CA policy. > This means that the CAs which belong to this PKI and are under this root > MUST > be part of the audit. CAs themselves can't be the auditors, otherwise > all CAs > will audit themselves."
Eddy: Can the root CA operator itself be the auditor of the sub-CAs, and bring its auditing documentation to its own auditor? That's not clear from the language you used; I'm assuming that sub-CAs cannot audit themselves (but could perhaps audit sub-sub-CAs), but since it's the root CA's reputation on the line does the root CA get the ability to enforce it by auditing its subs directly? I think that's what this question is really about. > > That was an answer to a questions to the requirements to T-Systems to > get their root accepted. I compared the practices of T-Systems to that > of GlobalSign, that offer a service to Enterprise CAs that allows the > Enterprise CAs to operate as SubCAs indepependently under the root of > GlobalSign: > http://eu.globalsign.com/pki/rootsign.htm > > According to the Info-Gathering-Document in Bug #406794, which covers > the renewal of the GlobalSign root, GlobalSign does just do what they > shouldn't do according to Eddys comment: They audit external SubCAs > themselves, as stated in the bug/info-gathering-document: > "[...] As a CA is then run by an enterprise, domains are not technically > restricted, however domains are contractually restricted. > > *GlobalSign* audits periodically as part of our own brand protection > program. [...]" [Emphasis added] > > So isn't GlobalSign doing something here that is very problematic? > > Thorsten > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
