On 12/26/2008 03:28 AM, Gen Kanai:
I personally like John Nagle's proposal from earlier in this thread:
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/9443ba781a669879
Gen, one thing to note, that Comodo most likely performs a yearly
WebTrust audit, though the last one I can see currently is from the
tenth of July 2007.
Also important to note that the audit itself isn't enough - that's why
there is the Mozilla CA Policy which clearly defines the minimal
requirements. (A CAs can pass a WebTrust audit without conforming to
those requirements set up by Mozilla).
As a matter of fact, we are still missing a procedure to make sure that
CAs issuing EV certificates indeed perform the yearly audit as required
by the EV guidelines. Those which don't, have to have EV status removed
as they wouldn't be in compliance with the EV guidelines.
Additionally, Mozilla has no control directly over certificates issued
through certstar, since the certificates are issued from an intermediate
CA certificate of Comodo. It's however possible and relatively easy to
ADD this intermediate to NSS and deliberately mark it untrusted. It
could be a good solution to prevent damage in case there should be more
certificates in the wild (and assuming that resellers certs are issued
through this intermediate).
Incidentally I've brought up the issue of AddTrust and UserSomething CAs
during the review discussion this year. It isn't exactly surprising that
now all those questionable practices come up again, isn't it?! There
were many more concerns brought up, which had no effect whatsoever on
the status of Comodo and their request to upgrade to EV was eventually
approved.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
