On Jan 12, 10:45 am, Eddy Nigg wrote:
> On 01/12/2009 11:27 AM, wolfgang.piet...@t-systems.com:
>
>
>
> > Frank,
>
> > The Comodo topic has once again sparked a fierce discussion about the
> > validity of certificates, how appropriate levels of security and trust
> > should look like and what to d
On 01/12/2009 11:27 AM, wolfgang.piet...@t-systems.com:
Frank,
The Comodo topic has once again sparked a fierce discussion about the
validity of certificates, how appropriate levels of security and trust
should look like and what to do to establish them.
Since we expect this discussion to have
On Dec 31 2008, 12:27 am, Frank Hecker
wrote:
> Eddy Nigg wrote:
> > I edited the Problematic Practices page and added
> >https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domai...
>
> > It might need some improvement. Frank, can you review? This will affect
> > obviously only future
On 31.12.2008 19:57, Frank Hecker wrote:
Kyle Hamilton wrote:
Ummm... has an enterprise PKI ever been included in Mozilla?
Sorry, I wasn't being clear here. I'm not referring to enterprises
that have their own root CAs. I was referring to schemes where
enterprises work through CAs like VeriS
On 01/02/2009 06:55 PM, ro...@comodo.com:
That thread has a lot going on and I don't propose to try to
address it all. However, I will address your reading of our CPS in an
attempt to bring some degree of clarity.
If I correctly understood your referenced post, you asserted that:
1) Como
On Jan 1, 12:59 am, Eddy Nigg wrote:
> Robin, could you provide some clarifications and your opinion concerning
> the post I made titled "Facts about Comodo Resellers and RAs" in
> particular in relation to the CP and CP statements here:
>
> http://groups.google.com/group/mozilla.dev.tech.crypto/ms
On 12/31/2008 12:30 PM, Rob Stradling:
Yes, Reseller and RA are 2 distinct roles. However, in some cases, a single
entity may choose (and be approved) to perform both of these roles.
I fully agree that the Reseller role "should not perform any validation
procedures at all".
Robin, could you
On 12/31/2008 08:57 PM, Frank Hecker:
employees, servers, etc. IIRC in a number of these schemes the CA is
responsible for actually issuing the certificates but the validation is
done by the enterprise. (For example, the CA might provide a web-based
interface by which authorized representatives o
Kyle Hamilton wrote:
Ummm... has an enterprise PKI ever been included in Mozilla?
Sorry, I wasn't being clear here. I'm not referring to enterprises that
have their own root CAs. I was referring to schemes where enterprises
work through CAs like VeriSign to issue certificates to their own
em
Yes, Reseller and RA are 2 distinct roles. However, in some cases, a single
entity may choose (and be approved) to perform both of these roles.
I fully agree that the Reseller role "should not perform any validation
procedures at all".
On Wednesday 31 December 2008 00:29:17 Eddy Nigg wrote:
>
On Tue, Dec 30, 2008 at 3:27 PM, Frank Hecker
wrote:
> I will say however that as a general matter I think it is good CA practice
> to have standard procedures and associated IT systems for verifying domain
> ownership/control and email account ownership/control, and to have resellers
> either use
On 12/31/2008 01:27 AM, Frank Hecker:
One reason I say this is "good CA practice" as opposed to a mandatory
requirement, is because of cases like enterprise PKIs where the
enterprises might act as RAs and do verification based on their own
internal systems (e.g., HR databases).
I think this i
Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
It might need some improvement. Frank, can you review? This will affect
obviously only future inclusion requests and i
On 12/30/2008 10:46 PM, Ian G:
On 30/12/08 20:41, Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
My comment: it is written like a requirement, using MUST. This is
On 30/12/08 20:41, Eddy Nigg wrote:
I edited the Problematic Practices page and added
https://wiki.mozilla.org/CA:Problematic_Practices#Delegation_of_Domain_.2F_Email_validation_by_third_parties
My comment: it is written like a requirement, using MUST. This is
confusing, and it bypasses th
On 12/30/2008 08:39 PM, Kai Engert:
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verific
Eddy Nigg wrote:
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
Kai, just
On 12/30/2008 03:24 PM, Kai Engert:
As I see verification as the core intention of the CA principle, I would
have assumed above requirement is obvious to everyone, at least to CAs
themselves.
One of Comodo's CPS (the one responsible for PositiveSSL) claims:
To validate PositiveSSL and Positiv
Ian G wrote:
Which language suggests they have to do verification *themselves* ?
The fact that the policy talks about a CA, and I didn't see talk about
external entities.
BTW, it would be quite problematic to insist that the CAs do this job
themselves.
CAs are not generally experts on the
On 12/30/2008 04:23 AM, Eddy Nigg:
This is most likely not what the Mozilla CA Policy envisioned and
requires. As a matter of fact, we could have known about it and
considered it insufficient during Comodo's review last spring.
Unfortunately even if it came up in some form, it drowned by the oth
On 12/30/2008 04:04 AM, Ben Bucksch:
So, who actually controls that verifications are done at all? I mean,
paper is nice, I can claim and write all I want, and not actually do it,
but I thought the point of the audit was to *check* and control and
ensure that the processes are *actually* carried
On 29.12.2008 19:04, Frank Hecker wrote:
So, in theory at least a WebTrust for CAs audit is supposed to confirm
management's assertions that verification of subscriber information is
being done properly, including any verifications done by third-party
RAs acting on behalf of the CA. In practice
On 29/12/08 23:37, Kyle Hamilton wrote:
This comment is likely going to be viewed as being in poor taste...
It is rather on point. It is also likely to be viewed as poor taste :)
Wasn't it a lack of regulation that managed to put the US and the rest
of the world into this economic semi-mel
This comment is likely going to be viewed as being in poor taste...
Wasn't it a lack of regulation that managed to put the US and the rest
of the world into this economic semi-meltdown that we're in? Wasn't
it untrustworthy auditing (from Arthur Anderson) that led to the
implementation of Sarbane
On 12/29/2008 08:04 PM, Frank Hecker:
When we created the policy I was well aware of the existence of RAs and
of the possibility that CAs might outsource functions like domain
validtion to RAs. Whether or not this is clear from the policy (and I
guess it's not, since you and others are asking abo
Kai Engert wrote:
> From my perspective, it's a CA's job to ensure competent verification
> of certificate requests. The auditing required for CAs is supposed to
> prove it.
> In my opinion, it means, a CA must do this job themselves.
My quick personal perspective on this (and I'll apologize in
On 28.12.2008 12:13, Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prove it. The verification task is the most important task. All
people and
processes involved should be part of the
On 12/28/2008 01:13 PM, Kai Engert:
The current Mozilla CA Certificate Policy says:
"6. We require that all CAs whose certificates are distributed with our
software products: ... provide attestation of their conformance to the
stated verification requirements ..."
Kai, just to counter Ian's r
Hi Kai,
long reply, I appreciate the grounding in actual policies and practices!
This allows us to explore what we really can and cannot do.
(I've cut two of your comments out to other posts where they might be
generally intersting for the wider audience.)
On 28/12/08 12:13, Kai Engert wr
After having read the posts related to the "unbelievable" event, I
understand the event involved an approved CA and an external entity they
work with.
From my perspective, it's a CA's job to ensure competent verification
of certificate requests. The auditing required for CAs is supposed to
prov
30 matches
Mail list logo
