Yes, those browsers allowed SGC/Step-up only for a restricted list of
pre-installed root CA certificates.
Anyone have a list of the specific roots that are SGC enabled? Many
of them must be due for expiry soon.
Is the intent to renew/replace them with SGC super-powers, or to let
SGC fade
Maintenance of the WebTrust seal requires an annual audit. The audit
is of compliance with the CPS - so if there are issuing CAs - whether
internal or external - covered by the CPS, then they part of those
procedures.
The same is not true of ETSI - which is a standard not really an audit
regime.
1. Audit standards (WebTrust and ETSI for example) check that the CA
complies with its CPS - and that includes subordinates and external
RAs
From Webtrust: In the hierarchical model, the root CA maintains the
established community of trust by ensuring that each entity in the
hierarchy conforms
The end result is that anyone who chooses to spend a hundred thousand
bucks or so on a single audit can then go around selling the benefit of
their inclusion in the trust list to the highest bidder without fear of
repercussion. Which is what they've been doing. And nobody has the balls
This is a broader comment on the Mozilla CA policy. If the desire is
to include security reviews that are equivalent to a WebTrust audit,
then for reviews against technical standards like ETSI the policy
should require annual reviews as well as provide more detail on what
comprises a Competent
5 matches
Mail list logo
