On Tuesday, October 31, 2017 at 9:22:09 AM UTC-4, Kyle Hamilton wrote: > http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certificate-authority-business
I did a little spot check. So yes they hired a person who was involved with Entrust, so that is a plus. The website says it is an IP carve out. OK. Does this translate into knowledge so a consumer can make a rational trust decision? I looked at their most recent CPS while shopping for a client email certificate. 3.2.7.1. Personal Secure Email Certificate The only identifying information in the subject DN is the email address of t he Subscriber. Comodo validates the right for the Applicant to use the submitted email address. This is achieved through the delivery via a challenge and response made to the email address submitted during the Certificate application. Comodo validates that the Applicant holds the private key corresponding with a public key to be included in the Certificate by utilizing an online enrollment process whereby Comodo facilitates the Subscriber generating its key pair using a specially crafted web page. The key pair is generated in the Subscriber’s computer. The private key is not exported or transferred from the Subscriber’s computer as part of the application process. This was previously "Free" and now is billed at $12, but no matter. I clicked on the chat window and spoke to a technical support rep. I asked what NIST Level of Assurance was the S/MIME certificate, after about 10 minutes I got the answer, which was LOA 3. So as a consumer I was just told I could get a NIST LOA 3 S/MIME client and signing certificate for $12, that according to the website also would be trusted by Mozilla, etc. Of course I know that's not possible, and we can't always expect random support people to give the right answer. So what is the value add here from Francisco Partners, other than the previously "Free" certificate is now $12 and claimed to be at LOA 3? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy