Re: Dealing with third-party subordinates of T-Systems and others

Sat, 11 Oct 2008 05:15:55 -0700 

On 10/10/2008 01:45 PM, Ian G:

Finally, if it ever did get to court, I don't see any good reasons
why it would not stand up?




Well, I prefer to refrain from commenting on this, but the fact that I 
mentioned it could give you some hint ;-)



( I should clarify things here:  there is certainly an agreement
between each CA and Mozilla.  It's however not a written agreement
with only one form, rather it is a compilation including:

   * the policy,
   * and in the case of EV, the Guidelines are incorporated,
   * audit criteria,
   * any side agreements or historical understandings,
   * the filed documents under the ascension process,
   * etc.



Actually the request made by the CA to have their root included 
is/should/might be interpreted as a waiver for any special requirements, 
agreements, conditions except if specifically conditioned in the bug. 
The inclusion request is obviously an implicit agreement. I suggested in 
the past to have CAs


- make a request also in writing

- provide audit statements, root certificates and other documents in 
hard copy

- sign a standard agreement with Mozilla

This is the common approach with all major browsers besides Mozilla.


So, you are saying that Mozilla, by way of its software agent
("Firefox" and/or "NSS") are standing in for some of the risks,
liabilities, obligations expressed in the CA's RPA ?



No, but a user can easily prove that by using the browser he adheres to 
the RP obligations (except if he overrides the browser configuration - 
adds an exception)



So, what happens in any real case?  If grandma stands up and says "I
don't know how, but I was robbed!"



That's not a case for the CA. Grandma has to sue the party which robbed 
her. Provided that there was no flaw in the certification, the CA is 
clean and not party of such circumstances.



A judge might knock the RPA down on the basis that there is a better
agreement, but I don't know what that would be


No, that's not the case, but I'm not really inclined to give ideas here...


This is bad, but I think most CAs have stopped
doing that so blatantly.


Really? I haven't seen that....

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to