On Dec 24, 2:13 am, "Paul C. Bryan" <em...@pbryan.net> wrote: > On Dec 23, 5:56 pm, ro...@comodo.com wrote: > Some questions: > > 1. Does Comodo take full responsibility for the actions of its > resellers? If so, how should the repercussions of such failures be to > Comodo? Comodo accepts responsibility for the work of its RAs in the validation that they do leading to the issuance of certificates under our root certificates.
> > 2. Are resellers subject to the same audits that Comodo presumably had > to undergo to get its root certs added to Mozilla? Who performs, and > who verifies such audits? How often are they performed? No, the RAs are not subject to the same audits as Comodo. Comodo undergoes an annual external audit to maintain our Webtrust certification for CAs. http://www.cica.ca/download.cfm?ci_id=45239&la_id=1&re_id=0 https://cert.webtrust.org/ViewSeal?id=804 > > 3. Are you willing to openly, continually disclose your list of > resellers, the frequency of audits, audit methodology, and actual > audit reports so that third parties can evaluate whether Comodo is > trustworthy as a CA? That is a question combined with an assertion. To the question: on a unilateral basis, no, Comodo wouldn't reveal that level of detail of our internal operation. If all CAs were required to provide the information, either to retain Webtrust certification or to gain or retain access to the root program of a major browser or other platform, then we would reconsider. To the assertion that this is a pre-requisite for a CA to be trustworthy: I am not aware that it is Mozilla's policy to require this information to be disclosed. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
