On 28.12.2008 12:13, Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it. The verification task is the most important task. All
people and
processes involved should be part of the assuring audit.
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
In my opinion, it means, a CA must do this job themselves.
...
In my personal opinion, a CA violates the Mozilla CA Certificate Policy
if they delegate the verification job to an external entity not owning
"attestation of their conformance to the stated verification
requirements".
Agreed.
What *is* a CA? I thought it was a company that verifies that a certain
entity is what it claims to be, it verifies identity.
(Even that definition is much smaller than "secure", which normal users
assume, based on our own marketing of SSL = "secure").
The Certificate is merely the technical means to transmit the statement
of verification. For that to work reliably, the CA also has to assure
technical security of their systems.
Based on that definition, which I think most people - even here and on
sec-group - assumed to be true, the CA has to do all verifications itself.
I think the Mozilla policy also implies that, by requiring the audits.
I'd like to see the audit, because I cannot imagine that 7000 resellers
were audited, and if any audit approved them all, it audit was useless
and should be removed from our policy.
Some people seem to now - by allowing "Re define a CA as just a company
that holds the private bits to a root cert that we distribute. That,
IMHO, is a useless definition.
In any case, Comodo has obviously failed to assure its processes. Frank
Hecker asked what is needed to regain trust. It is the assurance of
their processes, that this cannot happen again. For me, that means that
Comodo does all verification
*themselves*, and of course also the key signing. It is not possible to
outsource that task, because it's where the trust relies.
It's fine with me that they have resellers. However, they are just
sellers, not do the verifications. As sales people/companies go, if you
allow the real world comparison, they can recruit customers and collect
money, but they do not do the core business, and they are not
particularly trusted either.
And, FWIW, I do not consider the fact that somebody paid via a certain
credit card to be a sufficient verification, for the sake of SSL certs,
that he really is that person. Nor when he can receive an email to
webmas...@.
(That might have been the "verification" process of Certstar: spam
webmaster@ email addresses (as reed said in the bug), and if they react
to that, obviously they must have read the webmaster@ email and
therefore control the domain, which means the verification is already
done. Yes, I'm cynical.)
Please also read my following post about PositiveSSL specifically.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
