On 01/02/2009 06:55 PM, ro...@comodo.com:
That thread has a lot going on and I don't propose to try to
address it all. However, I will address your reading of our CPS in an
attempt to bring some degree of clarity.
If I correctly understood your referenced post, you asserted that:
1) Comodo outsources validation to its (non RA) resellers.
2) That the outsourcing of validation to anyone is in direct conflict
with section 4.2.7 of the PositiveSSL CPS.
Hi Robin,
Thanks for your reply. In order to understand this a bit better, let me
challenge and ask you some more questions.
#1 is incorrect.
You refer to section 1.10.2 of the main CPS as evidence for your
assertion, but that section specifically refers to our main RA class
of partners, which we denominate "Web Host Resellers".
OK, therefore "Web Host Resellers" are actually RAs. In the section
1.10.2 it says clearly:
"The Web Host Reseller Partner is obliged to conduct validation in
accordance with the validation guidelines and agrees via an online
process (checking the “I have sufficiently validated this application”
checkbox when applying for a Certificate) that sufficient validation has
taken place prior to issuing a certificate."
So what you are saying is, that Web Host Resellers are actually RAs
according to the CPS and are conducting the validations. How are those
validations usually done - as per below? Which training do they receive
usually? How do you select those RAs? Which subscriber agreement must be
presented by the RA to the subscriber?
Section 4.2 deals with application validation and in particular 4.2.2
explicitly mentions again (as also in the PositiveSSL CPS):
"Reviewing domain name ownership records publicly available through
Internet approved global domain registrars and using generic e-mails
which ordinarily are only available to person(s) controlling the domain
name administration, for example, webmaster@ . . ., postmaster@ . . .,
admin@; or
Requesting documentation that verifies control of the domain."
However it's not Comodo which performs those validations you say, but
the RA (Web Host Reseller). Why isn't Comodo doing it through the same
web interfaces available to the resellers? How exactly are documentation
verified for control validation? How are you retaining evidence about
the performed validations? How did the auditor review those validations?
Sections 1.10, 2.2, 2.8, 3.9.3, 4.13.1, 5.15, 5.18, and 5.26 of the
main CPS also further serve to define the interaction of RAs in the
processing of certificate applications.
What are the penalties in case an RA doesn't upheld the CPS and as per
section 5.18?
And a last question, where exactly are resellers handled in your CP/CPS?
Thanks so far...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
