On 10/03/2008 03:38 AM, Frank Hecker: > Remember that a lot of CAs working with enterprises outsource the > Registration Authority function to those enterprises. In other words, > the enterprise is ultimately responsible for doing verification of > subscribers (e.g. when issuing certificates to employees and corporate > web sites), even when the CA itself is issuing the certificate. Going > from outsourced RAs to third-party subordinates adds some additional > risk, but it's not a qualitatively different situation as I see it.
You are right and you've touched a sensitive issue here! It's certainly something we might want to look at some stage. But due to the fact that the issuing CA has been audited, this includes how the CA governs and controls the RAs, but also the environmental, logical and physical aspects of the infrastructure - including access regulations and a lot more...I think there is still a difference between relying on verifications done by an RA and having a complete CA at a different location run by a different entity. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
