On 29.12.2008 07:59, Nelson B Bolyard wrote:
Perhaps the policy should even go so far, as Kai has suggested, as to
require that whatever entity performs the verification of subject
identity for the CA must be audited.
Yes. Not perhaps.
The verification is one of the two core operations of the CA (the other
is to sign the certs and keep the key secure). The verifications are
what the audit is all about. Of course the verifications, and whoever
does that, have to be audited. That means watching the actual, real
people, who do the verifications. That's what we need - we need
*somebody* (preferably many, even) independent to verify that the CA
actually does what it says it does, actually, in real world, everyday
business.
A paper is useless, if nobody verifies that it's actually followed.
Everything else is just talk, hot air.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
