On 12/29/2008 08:04 PM, Frank Hecker:
When we created the policy I was well aware of the existence of RAs and of the possibility that CAs might outsource functions like domain validtion to RAs. Whether or not this is clear from the policy (and I guess it's not, since you and others are asking about this), my intention was certainly that the activities of RAs were considered to be encompassed within the overall activities of CAs, and that the policy's requirement for CAs to validate domains left open the possibility that this might be done by RAs acting as agents of CAs.
Incidentally we've not long ago agreed that we'll have to look at the various RAs scenarios more closely in the future. There is a similarity between externally controlled sub CAs, RAs and apparently also "Resellers", where resellers actually act as RAs (according to Comodo's CPS).
As in the case of various other issues listed in the "Problematic Practices" pages [1], RAs will have to be defined more clearly as well. Something which was supposed to be obvious apparently isn't.
As such, there are many common practices in this industry which are not up to today's requirements and/or the race to the bottom require clear regulation, something which previously maybe wasn't required. My insistence on detecting, declaring and defining them previously always had the goal to prevent possible damage and with it make PKI and digital certificates irrelevant for the Internet. Therefore, common practice by CAs never must be the criteria for sound and responsible requirements.
So, to repeat, I don't think the key issue here is whether CAs should or should not be allowed to delegate domain validation to RAs. The question (e.g., as in the case of Comodo and Certstar) is rather whether particular RAs are doing this properly, and if it's not done properly, whether the failures on the part of RAs represent isolated incidents or whether they indicate a systemic failure of the CA to properly oversee its RAs.
It's the inconvenience to have to confirm an email ping or other automated control verification by the subscriber which leads some CAs to circumvent it with "agreement by checkbox" validation. This results in an undue risk (being it just by human error and not intend or negligence) and unfair competition as well. I'd never outsource domain name validation to such identities like RAs and Resellers, not even for intermediate CAs. RAs may perform identity or organization validation sometimes more efficient than the CA due to local proximity, however technical requirements such as domain or email have no justification to be outsourced. Otherwise also physical and local controls and requirements will have to be added to the RA infrastructure, which makes it even more complicated.
[1] http://wiki.mozilla.org/CA:Problematic_Practices -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
