I'll also mention that these CAs are supposed to be audited to "financial services" levels. The root that it chains to is EV-enabled.
The fact that audits didn't pick up on the discrepancies that Eddy found between Comodo's CP/CPS and Robin's statements suggests that Comodo's playing dirty pool, and Frank's letting them get away with it. -Kyle H On Sat, Dec 27, 2008 at 4:43 AM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 12/27/2008 02:16 PM, Ian G: >> >> Indeed, this is the "Verisign buyout model"; outsource something new, >> get huge, get bought out by Verisign. > > What has that to do exactly with what Paul agreed to? > >> It doesn't matter in business principle whether it outsources a function >> to a reseller, to its employees or to the government. > > Of course it does. Besides that an employee isn't outsourcing, he is part of > the company. Or one might ask, why are certain functions never outsourced to > a third party? Or perhaps lets start to outsource the CA root key > responsibilities as well then... > >> >> Is there a criteria anywhere that says or implies "The CA has not >> outsourced critical function X to an external agent?" Can anyone recall >> such a statment? > > Yes, the some extend Mozilla does that already today with the "Problematic > Practices". For example auditing of intermediate CAs shouldn't be outsourced > from the auditor to the CA (it's just the other way around). > > And if there is no such criteria we might still create and adopt it. This is > no precedence, there are other criterion already. > >> that a popular incentive is to generate opportunities for business >> revenues. > > So? Mozilla really shouldn't care about the business revenues of some CAs. > How is that relevant? > >> As advice this would remain fine and standard. However trying to create >> some sort of restriction on how these things are done is likely to close >> of opportunities to do it better another way, in the future. >> > > I think what Paul suggested is exactly what any responsible CA should do. I > believe most do exactly that today. Specially in light that it's a core > requirement of the Mozilla CA policy. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
