This comment is likely going to be viewed as being in poor taste... Wasn't it a lack of regulation that managed to put the US and the rest of the world into this economic semi-meltdown that we're in? Wasn't it untrustworthy auditing (from Arthur Anderson) that led to the implementation of Sarbanes-Oxley and such?
-Kyle H On Mon, Dec 29, 2008 at 1:23 PM, Eddy Nigg <eddy_n...@startcom.org> wrote: > On 12/29/2008 08:04 PM, Frank Hecker: >> >> When we created the policy I was well aware of the existence of RAs and >> of the possibility that CAs might outsource functions like domain >> validtion to RAs. Whether or not this is clear from the policy (and I >> guess it's not, since you and others are asking about this), my >> intention was certainly that the activities of RAs were considered to be >> encompassed within the overall activities of CAs, and that the policy's >> requirement for CAs to validate domains left open the possibility that >> this might be done by RAs acting as agents of CAs. > > Incidentally we've not long ago agreed that we'll have to look at the > various RAs scenarios more closely in the future. There is a similarity > between externally controlled sub CAs, RAs and apparently also "Resellers", > where resellers actually act as RAs (according to Comodo's CPS). > > As in the case of various other issues listed in the "Problematic Practices" > pages [1], RAs will have to be defined more clearly as well. Something which > was supposed to be obvious apparently isn't. > > As such, there are many common practices in this industry which are not up > to today's requirements and/or the race to the bottom require clear > regulation, something which previously maybe wasn't required. My insistence > on detecting, declaring and defining them previously always had the goal to > prevent possible damage and with it make PKI and digital certificates > irrelevant for the Internet. Therefore, common practice by CAs never must be > the criteria for sound and responsible requirements. > >> So, to repeat, I don't think the key issue here is whether CAs should or >> should not be allowed to delegate domain validation to RAs. The question >> (e.g., as in the case of Comodo and Certstar) is rather whether >> particular RAs are doing this properly, and if it's not done properly, >> whether the failures on the part of RAs represent isolated incidents or >> whether they indicate a systemic failure of the CA to properly oversee >> its RAs. > > It's the inconvenience to have to confirm an email ping or other automated > control verification by the subscriber which leads some CAs to circumvent it > with "agreement by checkbox" validation. This results in an undue risk > (being it just by human error and not intend or negligence) and unfair > competition as well. I'd never outsource domain name validation to such > identities like RAs and Resellers, not even for intermediate CAs. RAs may > perform identity or organization validation sometimes more efficient than > the CA due to local proximity, however technical requirements such as domain > or email have no justification to be outsourced. Otherwise also physical and > local controls and requirements will have to be added to the RA > infrastructure, which makes it even more complicated. > > [1] http://wiki.mozilla.org/CA:Problematic_Practices > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: start...@startcom.org > Blog: https://blog.startcom.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
