Hi John, You raise some important questions, but it's worth having clarity on a few matters of fact.
John Nagle wrote: > 1. AddTrust, a company which apparently no longer exists, has an > approved > root CA certificate. This in itself is troublesome. This is extremely common. Certificates change hands. Failing to honour root certificates which are no longer owned by the companies which created them would break a significant proportion of the web. Microsoft does not have a policy preventing this. The previous are statements of fact; at this point I express no opinion as to whether those facts are a good state of affairs. > Comodo does > not seem to have taken on the obligations of AddTrust; see > "http://markmail.org/message/3zr4e5hxwmxjbgnp?q=Comodo+AddTrust";. That is not what that message says. We (Mozilla) would expect Comodo to be issuing certificates under any root it owns, whether the name on the root is its own or another's, in compliance with the Mozilla CA policy and the audits it has passed. If you have evidence to the contrary (leaving the current situation aside for a moment), present it. > 2. Comodo is apparently not only allowing resellers like CertStar, > but is allowing them to do their own validation of the legitimacy > of the certificate requestor. Who takes financial responsibility > for such errors? CertStar itself disclaims financial responsibility > at "http://www.certstar.com/terms.html";. That is a reasonable question. > 3. Microsoft requires an annual audit for root CAs: > "http://technet.microsoft.com/en-us/library/cc751157.aspx";. > Mozilla seems willing to accept a one-time audit. That seems > to be why the disappearance of AddTrust wasn't noticed. The two things are not connected. There are root certificates in the store which bear the names of companies which have not existed for quite some time. We know about this. Knowing about it is not a function of audit frequency. > 1. Comodo must undergo an audit to WebTrust standards, and the audit > report must be published. As I understand it, Comodo has a current WebTrust audit (confusion in this thread notwithstanding): https://cert.webtrust.org/SealFile?seal=804&file=pdf Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
