On Dec 23, 5:56 pm, ro...@comodo.com wrote: > Comodo takes it responsibility to supervise RAs very seriously and we > actively audit their performance. While it is not practical to audit > 100% of their work, we audit a representative sample.
By delegating RA functions (including domain verification) to third parties, you appear to be making them the weakest links in PKI chains of trust. > We apologize for Certstar’s mistake and assure you that we will > redouble our self-auditing efforts to insure the problem does not > repeat itself. Some questions: 1. Does Comodo take full responsibility for the actions of its resellers? If so, how should the repercussions of such failures be to Comodo? 2. Are resellers subject to the same audits that Comodo presumably had to undergo to get its root certs added to Mozilla? Who performs, and who verifies such audits? How often are they performed? 3. Are you willing to openly, continually disclose your list of resellers, the frequency of audits, audit methodology, and actual audit reports so that third parties can evaluate whether Comodo is trustworthy as a CA? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
