Re: dropping the root is useless

Mon, 29 Dec 2008 05:50:36 -0800 

On 12/29/2008 07:40 AM, David E. Ross:

On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:

CertStar was found out, only due to the diligence of someone on this
list.  How many other RAs haven't been found out yet?  We can't know,
because Comodo won't say.  This affects the confidence I have in their
system (i.e., it removes ALL confidence that Mozilla extended on my
behalf).


Actually, Eddy discovered the problem only through the fortuitous
receipt of spam from CertStar.  If he had not received the spam -- even
if others had received it -- it is possible the problem would never have
been discovered.  This is why the discovery is so frightening.



I will suggest that Mozilla allocate some funds for random checking of 
the performance of CAs.




Now that it is known that a subordinate reseller operating under one CA
issued certificates without authenticating the identity of the
subscribers, we know that the theoretical concern expressed (before all
this) about resellers is no longer theoretical.  NOW is the time to
require that all CAs supervise the operations of their RAs and
resellers.  This must be done in a way that independent audits of the
CAs examine the implementation of such supervision, which can be
accomplished by requiring (at least with respect to the Mozilla
database) that CPs explicitly address how that supervision is performed.

Either a CA's CP must explicitly state that there are NO external RAs or
resellers, or else the CP must describe how external subordinates are
monitored.  Without this, a CA's request to have its root certificate
included in the Mozilla database should be denied.  Since an audit will
generally report on the implementation of such a policy but not
necessarily on the policy's adequacy, the internal and public reviews of
CA requests must examine the adequacy of the CA's policy for monitoring
external subordinates.



+1


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
























					Reply via email to