On 9/1/09 21:05, Julien R Pierre - Sun Microsystems wrote:
Not at all. That's why there is a Mozilla CA policy, and some CAs are shut out. You need to have at least some audits. Not saying that those are perfect - obviously they can miss things, but they are usually still better than nothing. If the audits are worthless, then there is a problem and better auditors need to be found ...
Possibly I am over reacting here, but your angst as directed at the auditors is I feel unfair. IMHO, and based on my experiences on both sides of this fence: Auditors do the job that you gave them to do. Actually, they do it fairly well, within the circumstances.
If there is a problem, it is right here. You, the wider downstream part of pki, don't understand the process.
More precisely, we ask the auditor to report, without understanding the language of the report and the nature of the process. So, when the auditor reports weaknesses (as seen recently), nobody notices. If every auditor reports weaknesses in every CA, is there any reason why anyone would notice? If an auditor were to report that the CA isn't any good for *your* reliance but ok for my reliance, you would not notice. Nor would I.
The wider flaw is an assumption of perfection. It is a shared belief of the Pki industry that the audit report is some binary stamp or magic permit of goodness in the business of certificates, for all and sundry.
It is not, not even close. It needs massive care and a fair swathe of experience to interpret. It takes years to understand how to cryptanalyse a crypto function or protocol; audits are no different.
That's not to say that the audit is useless or does not have a benefit. They aren't useless, they have benefits, it is just that the downstream relying parties have no easy grip on what they might be.
Caveat emptor. If you don't read and interpret the results then, to use the language of PKI, you have failed to carry out the steps of reliance, as documented in the auditor's "CPS".
In general, I see no way that any auditor can be blamed for the failures in reliance.
iang, currently auditor for CAcert. A very slow job! _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
