Thanks for your response Robin. On Dec 26, 1:10 pm, ro...@comodo.com wrote:
> Comodo accepts responsibility for the work of its RAs in the > validation that they do leading to the issuance of certificates under > our root certificates. You failed to answer the other half of this question. What should the repercussions of such failures as this be for Comodo? Simply hoping you follow-up with your resellers (as has so far been the case with Certstar) is not an acceptable remedy in my opinion. > No, the RAs are not subject to the same audits as Comodo. Comodo > undergoes an annual external audit to maintain our Webtrust > certification for CAs. How can the results of the Comodo audits be considered valid if Comodo outsources portions of its functions to third parties, that are not subject to the same audits? > http://www.cica.ca/download.cfm?ci_id=45239&la_id=1&re_id=0https://cert.webtrust.org/ViewSeal?id=804 This link responds with an error result. > That is a question combined with an assertion. Indeed, which I'll address below. > To the question: on a unilateral basis, no, Comodo wouldn't reveal > that level of detail of our internal operation. If all CAs were > required to provide the information, either to retain Webtrust > certification or to gain or retain access to the root program of a > major browser or other platform, then we would reconsider. As I have mentioned in previous postings, a trust chain is only as strong as its weakest link. Comodo has added extra links in its chain, in the form of resellers whom it trusts to peform DV. If those links in the chain are not disclosed, and not subject to the same audits as the party applying for trust certification, then the integrity of the chain cannot be established. I expect that no other CAs are delegating their RA/DV functionality to third parties. If they are, then they're in the same boat as Comodo. > To the assertion that this is a pre-requisite for a CA to be > trustworthy: I am not aware that it is Mozilla's policy to require > this information to be disclosed. I can't see how a CA can be considered trustworthy by anyone if it outsources portions of its core operations to undisclosed parties, and those parties are not subject to the same criteria, inspection and audits as the CA itself. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
