Re: Unbelievable!

Fri, 26 Dec 2008 17:26:01 -0800 

On 12/27/2008 02:40 AM, Ian G:

On 27/12/08 00:53, Eddy Nigg wrote:


Yeah right! It really depends what the right balance is, ehhh?!



There is no "right balance" just like there is no world peace. Security
is an economic phenomena, not a beauty pageant.



No, security is an inconvenience, but I've said that earlier already.



The story starts before that. You are just seeing the tail, I'm seeing
what preceded to that - or better, what did not happen and should have.



That "earlier story" has no real place here, IMHO. This is a forum for
the discussion of technical, crypto, root and general PKI issues, by
either dictat or convention. It is not a forum for the airing of general
business complaints.



You don't seem to get it, do you? The story starts before your stating 
of the facts you would like us to believe. The story starts with putting 
resellers and so-called RAs in charge of validation procedures they have 
no clue about and with failing to audit, approving and controlling them, 
it's called due diligence. The story continues with failing to prevent 
issuance of high-profile target certificates such as Mozilla certainly 
is and the story continues with failing to detect them once issued. As I 
said, you are only seeing the tail...




There seems to be an emerging consensus that more open is more better,
in general at least.




This might be correct. However generally speaking CP and CP statements, 
other documents publicly available in addition to general questioning 
(at least during our review procedures at Mozilla) are fairly sufficient.


In relation to Comodo, the writing has been on the wall.


E.g., where Comodo or any CA completes an internal audit and creates a
report to document that audit action, could we expect the CA or the
internal auditor to publish this as a routine action?



I don't think we can expect that as a general role.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to