On 12/26/2008 03:28 AM, Gen Kanai:
I personally like John Nagle's proposal from earlier in this thread:

http://groups.google.com/group/mozilla.dev.tech.crypto/msg/9443ba781a669879


Gen, one thing to note, that Comodo most likely performs a yearly WebTrust audit, though the last one I can see currently is from the tenth of July 2007.

Also important to note that the audit itself isn't enough - that's why there is the Mozilla CA Policy which clearly defines the minimal requirements. (A CAs can pass a WebTrust audit without conforming to those requirements set up by Mozilla).

As a matter of fact, we are still missing a procedure to make sure that CAs issuing EV certificates indeed perform the yearly audit as required by the EV guidelines. Those which don't, have to have EV status removed as they wouldn't be in compliance with the EV guidelines.

Additionally, Mozilla has no control directly over certificates issued through certstar, since the certificates are issued from an intermediate CA certificate of Comodo. It's however possible and relatively easy to ADD this intermediate to NSS and deliberately mark it untrusted. It could be a good solution to prevent damage in case there should be more certificates in the wild (and assuming that resellers certs are issued through this intermediate).

Incidentally I've brought up the issue of AddTrust and UserSomething CAs during the review discussion this year. It isn't exactly surprising that now all those questionable practices come up again, isn't it?! There were many more concerns brought up, which had no effect whatsoever on the status of Comodo and their request to upgrade to EV was eventually approved.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to