On 12/27/2008 02:42 AM, David E. Ross:
The issue at hand is not the first time issues about external RAs and certificate sellers have been raised. These are the issues that need to be addressed now. A CA should either assert in its CP that there are no RAs and resellers, or else describe the CA's relationship with them. By policy, the Mozilla organization should require a CA's CP to address the following four points (lumping external certificate sellers with RAs): 1. The CP should detail how external registration authorities (RAs) are approved. 2. The CP should detail how RAs verify subscriber identities. 3. The CP should detail how RAs verifies authorization of individuals to represent organizational subscribers. 4. The CP should detail how the CA verifies that RAs operate in accord with the CA's policies. The first would tell us how RAs and resellers are chosen. The second and third would tell us what processes are imposed on RAs and resellers. The fourth would tell us how the operations of RAs and resellers are monitored. Placing these four in a CP puts them in view of outside auditors and subjects them -- especially #1 and #4 -- to being audited. All four of these trace to WebTrust criteria. Note, however, none of these require disclosing who are the RAs and resellers. Instead, I'm willing to rely on ISO 9000 principles: Say what you do, do what you say, and prove it. If Mozilla policies required these four points in a CP, then approval of a CA's request for inclusion in the certificate database could depend -- with respect to RAs and resellers -- upon (a) Mozilla's and the public's review of the adequacy of the CP statements and (b) the independent auditor's review of compliance with those statements.
Seconded. BTW, this is part of the WebTrust criteria. We need to make it explicit similar to the intermediate CAs.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto