Kyle Hamilton:
>
> Eddy: Can the root CA operator itself be the auditor of the sub-CAs,
> and bring its auditing documentation to its own auditor? That's not
> clear from the language you used; I'm assuming that sub-CAs cannot
> audit themselves (but could perhaps audit sub-sub-CAs), but since it's
> the root CA's reputation on the line does the root CA get the ability
> to enforce it by auditing its subs directly?
Which reputation [1] ? Are you suggesting that because I have a CA root
I can also play KPMG?
>
> I think that's what this question is really about.
>
Indeed! But I have been pretty clear, that the audit requirement is
circumvented if the "whatever-CA-under-some-root" isn't audited as well.
Hence CAs can't audit their own customers!
What I suggested is, that the language used in the CP/CPS must make the
audit requirement clear and/or obvious. Otherwise the audit statement of
the auditor shall confirm that instead ("Yes, we audited the complete
PKI including external CAs").
[1] I think we relied too many years on "reputations" for securing the
Internet....Bullshit!
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
