John Nagle wrote:
As a user of SSL certificates in our SiteTruth system, which
attempts to identify and rate the business behind a web site, we're
concerned about CA reliability and trust. We've been using Mozilla's
approved root cert list for our system, and are considering whether
we should continue to do so.
As a general point, I have never advocated having downstream licensees
of Mozilla code accept the default NSS root list as is, without doing
some due diligence on their own. There are lots of roots in that list
that are there for legacy reasons, and others that are not necessarily
of general interest (e.g., CAs operating within a single country or
region). I encourage you and other licensees to trim the root list to
meet your own needs and your own assessment of CAs.
1. Comodo must undergo an audit to WebTrust standards, and the audit
report must be published. An in-house self-investigation is not
acceptable. The audit must be conducted by a recognized outside
auditing firm.
Comodo already has undergone WebTrust audits, and presumably will do so
again; see for example
https://cert.webtrust.org/SealFile?seal=798&file=pdf
https://cert.webtrust.org/SealFile?seal=804&file=pdf
which I believe are the latest ones. Robin Alden can provide information
on other past, present, and future WebTrust audits of Comodo.
2. CertStar must separately undergo an audit to WebTrust standards,
and the audit report must be published.
Certstar isn't a CA, and thus the WebTrust for CAs criteria are not
necessarily a good fit for it. (Plus the expense of a full WebTrust for
CAs audit is likely an order of magnitude higher than Certstar's
probable revenues.) However it's certainly true that future Comodo
WebTrust audits could and IMO should look at the question of how Comodo
deals with resellers and affiliates, as part of the task of determining
whether Comodo is operating in accordance with its CPS.
Frank
--
Frank Hecker
hec...@mozillafoundation.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
