On 12/24/2008 12:05 AM, Paul C. Bryan:
Presumably it was Comodo that underwent an audit to be added to Mozilla's roots, and Comodo should not be allowed to delegate trust to their resellers for domain validation. If, today, trust is delegated to their resellers, then we can't trust Comodo, period.
I would second that and in light of many other problematic practices which were discovered during their inclusion/update of EV, it's simply too much. More than 24 hours into this, I've come to the conclusion that this is a sever incident which requires action. If Robin can assure us of reasonable actions from their side (as suggested previously by me) it would serve all participants the best. Inaction and non-cooperation will leave Mozilla with not much choice I think. Ignorance by Mozilla itself will hunt it for a long time too. But it must happen now, either way!
(I don't think we have the time to discuss each and every aspect of RA and reseller responsibilities and what we deem as save, I'm certain we'll take this issue up (which apparently has about the same implications as intermediate externally operated CAs))
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
