I note that the WebTrust audit seal that Robin provided links to only mentions auditing in relation to EV certificate issuance, and does not address anything at all outside of that scope.
"This report does not include any representation as to the quality of Comodo's services beyond those covered by the WebTrust for Certification Authorities EV Criteria, nor the suitability of any of Comodo's services for any customer's intended purpose." i.e., there is no audit for non-EV certificate issuance, and thus non-EV certificate issuance has no reason at all to be trusted. This is problematic. -Kyle H On Fri, Dec 26, 2008 at 5:04 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 12/27/2008 02:42 AM, David E. Ross: >> >> The issue at hand is not the first time issues about external RAs and >> certificate sellers have been raised. These are the issues that need to >> be addressed now. >> >> A CA should either assert in its CP that there are no RAs and resellers, >> or else describe the CA's relationship with them. By policy, the >> Mozilla organization should require a CA's CP to address the following >> four points (lumping external certificate sellers with RAs): >> >> 1. The CP should detail how external registration authorities (RAs) >> are approved. >> >> 2. The CP should detail how RAs verify subscriber identities. >> >> >> 3. The CP should detail how RAs verifies authorization of individuals >> to represent organizational subscribers. >> >> >> 4. The CP should detail how the CA verifies that RAs operate in accord >> with the CA's policies. >> >> The first would tell us how RAs and resellers are chosen. The second >> and third would tell us what processes are imposed on RAs and resellers. >> The fourth would tell us how the operations of RAs and resellers are >> monitored. Placing these four in a CP puts them in view of outside >> auditors and subjects them -- especially #1 and #4 -- to being audited. >> All four of these trace to WebTrust criteria. Note, however, none of >> these require disclosing who are the RAs and resellers. Instead, I'm >> willing to rely on ISO 9000 principles: Say what you do, do what you >> say, and prove it. >> >> If Mozilla policies required these four points in a CP, then approval of >> a CA's request for inclusion in the certificate database could depend -- >> with respect to RAs and resellers -- upon (a) Mozilla's and the >> public's review of the adequacy of the CP statements and (b) the >> independent auditor's review of compliance with those statements. >> > > Seconded. BTW, this is part of the WebTrust criteria. We need to make it > explicit similar to the intermediate CAs. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
