As a user of SSL certificates in our SiteTruth system, which attempts to identify and rate the business behind a web site, we're concerned about CA reliability and trust. We've been using Mozilla's approved root cert list for our system, and are considering whether we should continue to do so. Given the situation described in
"http://markmail.org/message/rje3lssql55l2rev?q=unbelievable"; the use of Mozila's root CA list is now questionable. There seem to be several problems here. 1. AddTrust, a company which apparently no longer exists, has an approved root CA certificate. This in itself is troublesome. Comodo does not seem to have taken on the obligations of AddTrust; see "http://markmail.org/message/3zr4e5hxwmxjbgnp?q=Comodo+AddTrust";. Yet Comodo is still issuing certificates under the root CA of this dead company. 2. Comodo is apparently not only allowing resellers like CertStar, but is allowing them to do their own validation of the legitimacy of the certificate requestor. Who takes financial responsibility for such errors? CertStar itself disclaims financial responsibility at "http://www.certstar.com/terms.html";. 3. Microsoft requires an annual audit for root CAs: "http://technet.microsoft.com/en-us/library/cc751157.aspx";. Mozilla seems willing to accept a one-time audit. That seems to be why the disappearance of AddTrust wasn't noticed. Microsoft's audit requirements extend all the way down the chain of trust. Their policy is: "The CA must complete an audit and submit audit results to Microsoft every twelve (12) months. The Audit must cover the full PKI hierarchy that will be enabled by Microsoft through the assignment of Extended Key Usages (EKUs). All certificate usages that we enable must be audited periodically. The audit report must document the full scope of the PKI hierarchy including any sub-CA that issues a specific type of certificate covered by an audit." Microsoft uses the standards of the WebTrust Program for Certification Authorities ("http://www.cica.ca/download.cfm?ci_id=45239&la_id=1&re_id=0";) managed by the Canadian Society of Chartered Accountants. That's a good guideline for Mozilla to follow. At this point, I would suggest that the following actions are appropriate to bring Comodo and Mozilla into compliance with the WebTrust standards: 1. Comodo must undergo an audit to WebTrust standards, and the audit report must be published. An in-house self-investigation is not acceptable. The audit must be conducted by a recognized outside auditing firm. 2. CertStar must separately undergo an audit to WebTrust standards, and the audit report must be published. An in-house self-investigation is not acceptable. The audit must be conducted by a recognized outside auditing firm. CertStar should not be permitted to issue any new certificates until this process is complete and the audit results are satisfactory. If this process is not complete within 3 months, all CertStar-issued certificates should be revoked. 3. Comodo must disclose the identities of all "resellers" to which it has outsourced any validation functions. 4. All AddTrust root CA certificates must be phased out. An expiration date in Q1 or Q2 2009 is suggested. Since no company stands behind the AddTrust name, it's necessary to force expiration of that root. 5. The Mozilla Foundation should contact Microsoft's CA Root Certificate group to coordinate their actions. John Nagle SiteTruth _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
