On Dec 23, 5:09 am, Frank Hecker <hec...@mozillafoundation.org> wrote: > There are two general reasons for pulling a root, to address a clear and > present danger to Mozilla users, and to punish a CA and deter others. My > concern right now is with the former. I see at least three issues in > relation to that: > > 1. Issuance of further non-validated certs by this reseller. Comodo > seems to have addressed this by suspending the reseller's ability to get > certs issued. (I can testify that this is the case, as I tried to > duplicate Eddy's feat earlier today and got my uploaded CSR rejected.) > > 2. Potential problems with certs already sold through this reseller. > Comodo should investigate this and take action if needed. (This need not > necessarily require revoking all certificates associated with the > reseller; for example, the existing certs and their associated domains > could be re-validated, the registered domain owners could be notified of > the potential for bogus certs floating around, etc.) > Frank, We are in the process of reviewing all of the certificates that have been issued where Certstar served as a RA for Comodo. Fortunately they have only been involved in the validation of 111 certificates. As I previously mentioned as soon as we discovered the error with the Mozilla.com certificate we suspended Certicom’s RA privileges. Certstar’s RA activities remain suspended.
At this point it appears that the Mozilla and Startcom certificates were an anomaly, the result of the automatic DCV mechanism being bypassed by accident. Certstar’s account will remain suspended until we are satisfied that the certificates issued for Mozilla and Startcom were as Certstar maintains, the result of unintentional mistakes that have been corrected with safeguards in place to prevent a reoccurrence. Should Comodo decide to reinstate Certstar as an RA we will review each certificate request until we are satisfied that Certstar has been adequately trained and that yesterday’s mistake cannot be duplicated. Comodo has been able to verify that 73 of the 111 orders processed by Certstar were processed pursuant to the requirements of our CPS and our webhost RA terms and conditions. We should have our review of the remaining 38 certificates completed by tomorrow evening. If we are unable to verify any validation, we will revoke the applicable certificate. > 3. Potential problems with other Comodo resellers. I'm not going to tell > Comodo how to operate its reseller network, but they certainly should > take a look at whether and where this might be a problem with other > resellers, and how they could revamp their systems to reduce potential > problems with resellers. > Comodo takes it responsibility to supervise RAs very seriously and we actively audit their performance. While it is not practical to audit 100% of their work, we audit a representative sample. In the past we have discovered only a few isolated incidents where our sub CAs or RAs failed to follow the applicable guidelines. When this has occurred we have suspended the account, performed additional audit activities and where appropriate revoked certificates. We are confident that our existing system works well and are constantly looking for ways to improve it. We apologize for Certstar’s mistake and assure you that we will redouble our self-auditing efforts to insure the problem does not repeat itself. Regards Robin Alden Comodo _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
