Regarding KPMG: It appears to be a Switzerland-based group of auditors. http://www.kpmg.com/Global/ContactUs/Pages/InternationalHotline.aspx has contact information for the Group which relates to accounting, auditing, or other irregularities.
For US reporting, http://www.kpmgethics.com/ is where it directs. -Kyle H On Mon, Dec 29, 2008 at 10:28 AM, Ben Bucksch <ben.bucksch.n...@beonex.com> wrote: > Background: CertStar issued certificates without verification whatsoever. > The faulty certs were signed with the PositiveSSL certificate, which is > chained to the UserTRUST root cert that Mozilla ships. The UserTRUST cert is > owned and operated by Comodo. > > Our policy mandates that CAs have a valid audit to prove that they do > diligent verifications. > > Thanks to Frank Hacker for posting the link to the what he thinks is the > latest audit of Comodo regarding normal certs (non-EV): > <https://cert.webtrust.org/SealFile?seal=798&file=pdf> > > This audit is issued by KPMG. It merely certifies that Comodo follows its > *own* self-defined guidelines. (I think that is not sufficient, but EV fixes > that to some extend.) > > The Comodo guidelines and processes, as certified by the above document, are > at > <http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf> > > Section 1.10 shows that Comodo indeed uses Registration Authorities to do > all verification, see my previous post "Re: CAs and external entities > (resellers, outsourcing)" > <http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/43bdc908878eb4b4?q=#fd8d123e7881c729> > > Most interesting to the current case, where the PositiveSSL certificate > proved most problematic and which was already contemplated to yank, is > section 2.4.1 a): > >> a) PositiveSSL Certificate >> PositiveSSL Certificates are low assurance level Secure Server >> Certificates from Comodo ideal for mail servers and server to server >> communications. They are not intended to be used for websites conducting >> e-commerce or transferring data of value. >> ... >> Due to the increased validation speed and the nature of how Comodo intends >> PositiveSSL certificates to be used, the certificates carry no warranty. >> >> PositiveSSL certificates are available from the following channels: Comodo >> Website, Reseller Network, Web Host Netowrk, PoweredSSL Network, and EPKI >> Manager. > > "not intended for ... e-commerce. ... the certificates carry no warranty" > > It's clear that these certificates were never defined to be used in > browsers, and therefore never should have been shipped with browsers. In any > case, whatever Comodo's intends or actions, PositiveSSL does *not* carry a > valid audit for inclusion in browsers. > > I think the fault is clearly on Codomo's side, as the PositiveSSL cert is > not included directly in Mozilla's root certs, but signed by Comodo's > UserTRUST cert, which is included in Mozilla browsers. Therefore, Comodo is > responsible for having allowed certificates for e-commerce which were > specifically excluded for e-commerce and which explicitly "carry no > warranty". > > The audit was also faulty, because the signature of PositiveSSL by the > UserTRUST root and its inclusion in browsers is mentioned in the same > document in section 1.8.3. In other words, the document contradicts itself > and should never have been approved by the auditor (KPMG) as-is. > > Suggested actions: > * Add PositiveSSL cert to cert root with trust bit disabled, i.e. disabling > it, assuming that works. IMHO, the current Firefox UI dialog is fine. It's > as if PositiveSSL were never added to the cert store, which is what should > have been the case all the time. > * Reconsider inclusion of Comodo certificates in the Mozilla root, as Comodo > has violated its own definitions. > * Require Comodo to remove the concept of Registration Authorities and do > all verifications themselves. At minimum, Comodo must do a Domain Validation > themselves. > * For KPMG having done a faulty audit, I don't know what the possible > actions are, legal or reputation nature. > > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
