[email protected] wrote: > On Dec 24, 2:13 am, "Paul C. Bryan" <[email protected]> wrote: >> 2. Are resellers subject to the same audits that Comodo presumably had >> to undergo to get its root certs added to Mozilla? Who performs, and >> who verifies such audits? How often are they performed? > No, the RAs are not subject to the same audits as Comodo.
And that's a fundamental flaw. If you delegate RA functionality (here domain validation) to a reseller leading to the reseller being capable of triggering cert issuance without further validation of the CA the RA should also be audited just like the CA. >> 3. Are you willing to openly, continually disclose your list of >> resellers, the frequency of audits, audit methodology, and actual >> audit reports so that third parties can evaluate whether Comodo is >> trustworthy as a CA? > That is a question combined with an assertion. > To the question: on a unilateral basis, no, Comodo wouldn't reveal > that level of detail of our internal operation. If all CAs were > required to provide the information, either to retain Webtrust > certification or to gain or retain access to the root program of a > major browser or other platform, then we would reconsider. > To the assertion that this is a pre-requisite for a CA to be > trustworthy: I am not aware that it is Mozilla's policy to require > this information to be disclosed. Robin, I agree that all CAs should fullfil the same requirements. And I suspect your case is not the only problematic case. So basically we're back at the point which was already raised many times here. In former discussion people were concerned about the power of RAs and sub-CAs of trusted root CAs and that this relationship is not published at all. And as this case shows the concerns are valid. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
