Eddy Nigg (StartCom Ltd.) wrote: > Which raises at least with me the question, if this is indeed what was > envisioned when Mozilla decided to endorse EV as a better PKI model. Or > are people like Kyle perhaps rightfully thinking that he's being cheated > on by some CAs? I'm quoting a recent statement by Kyle: > > "The end result is that anyone who chooses to spend a hundred thousand > bucks or so on a single audit can then go around selling the benefit of > their inclusion in the trust list to the highest bidder without fear of > repercussion. Which is what they've been doing. And nobody has the balls > to stand up and say "user security is more important than user > convenience". (In addition, roots have been sold to other companies, > which have not passed continuing conformance audits.)"
From project experience I can confirm that it's exactly like what Kyle suspects. I won't mention names but bringing your CA certs into MS IE and the Mozilla products is simply a cash cow. Nothing else. In the cases I know no audits were conducted on sub-CAs by the root CA people, not even simple reviews of the sub CA's CPS. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
