On 10/03/2008 05:43 AM, Eddy Nigg: > On 10/03/2008 04:29 AM, Frank Hecker: >> Even beyond the >> WISeKey model (the "CA in a box" appliance device), I suspect that a >> number of other CAs serving the enterprise market have enough >> subordinates that it would be unrealistic to require actual audits of >> all subordinates in these cases as well. > > Who said that everything which was done to date was correct and useful > (to the relying parties)? Just because it exists it doesn't mean it's > the right thing to do really. "CA-in-a-box" is a risk Mozilla shouldn't > accept without some guaranties (which auditing provides). Lets suppose > CAs stop verifying domain control of server certificates because some > hardware vendors decided that the enterprise market needs it, will you > also call it unrealistic to make it a requirement? Most likely not! >
Here I wanted to add something...it's not that we should prevent intermediate third-party CAs or cross-signing, but we need to apply the same requirements on all CAs. Now, the requirements are defined in the Mozilla CA policy which calls for auditing. Not by mistake, because this gives Mozilla some confidence about the CA it - and with it just a few million users - are going to trust the work done by the CA. By removing this requirement explicitly by not applying the same requirements to all CAs, there is no use maintaining it. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
