On 12/27/2008 5:48 AM, Michael Ströder wrote [in part]: > ro...@comodo.com wrote [in part]: >> On Dec 24, 2:13 am, "Paul C. Bryan" <em...@pbryan.net> wrote: >>> 2. Are resellers subject to the same audits that Comodo presumably had >>> to undergo to get its root certs added to Mozilla? Who performs, and >>> who verifies such audits? How often are they performed? >> No, the RAs are not subject to the same audits as Comodo. > > And that's a fundamental flaw. If you delegate RA functionality (here > domain validation) to a reseller leading to the reseller being capable > of triggering cert issuance without further validation of the CA the RA > should also be audited just like the CA. >
Instead of auditing RAs and resellers, audit the root CA's process for ensuring that RAs and resellers comply with the CA's policies (e.g., the CP). This is what I proposed in a different (but related) thread in this newsgroup. The CA approves its RAs and resellers. Thus, the CA should be held accountable for the actions of its RAs and resellers. If the CA's CP addresses how accountability is handled (or denies the existence of RAs or resellers), the CA's outside audit is supposed to review the implementation of this (along with the implementation of the all rest of the CP). If this accountability is not addressed in the CP or the way it is addressed is weak, the CA's root does not belong in the Mozilla database. I ask Hecker, Wilson, and any others doing the initial reviews of root certificates proposed for inclusion in the Mozilla database to give some attention to this. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto