On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]: > CertStar was found out, only due to the diligence of someone on this > list. How many other RAs haven't been found out yet? We can't know, > because Comodo won't say. This affects the confidence I have in their > system (i.e., it removes ALL confidence that Mozilla extended on my > behalf).
Actually, Eddy discovered the problem only through the fortuitous receipt of spam from CertStar. If he had not received the spam -- even if others had received it -- it is possible the problem would never have been discovered. This is why the discovery is so frightening. Now that it is known that a subordinate reseller operating under one CA issued certificates without authenticating the identity of the subscribers, we know that the theoretical concern expressed (before all this) about resellers is no longer theoretical. NOW is the time to require that all CAs supervise the operations of their RAs and resellers. This must be done in a way that independent audits of the CAs examine the implementation of such supervision, which can be accomplished by requiring (at least with respect to the Mozilla database) that CPs explicitly address how that supervision is performed. Either a CA's CP must explicitly state that there are NO external RAs or resellers, or else the CP must describe how external subordinates are monitored. Without this, a CA's request to have its root certificate included in the Mozilla database should be denied. Since an audit will generally report on the implementation of such a policy but not necessarily on the policy's adequacy, the internal and public reviews of CA requests must examine the adequacy of the CA's policy for monitoring external subordinates. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
