On Fri, Jan 03, 2014 at 09:00:23PM +0100, Kurt Roeckx wrote: > On Fri, Jan 03, 2014 at 10:38:08AM -0800, Ryan Sleevi wrote: > > > > The weaknesses in the hash algorithm - both known and unknown - are what > > has motivated root programs to require a minimum set of entropy before > > "attacker-controled" data to reduce the probability of second pre-image > > attacks. > > I also never had any trust in any auditing on the CAs, and that > paper of Microsoft on seems to confirm that. As far as I know the > only auditing that really happens is that some accountant goes and > checks some papers.
So looking at the papers they use, the "Baseline Requirements Audit Criteria" at webtrust, both V1.0 and V1.1, do not mention that this is being checked. So it probably means that this isn't checked. It says it's based on the CA/Brower Forum requirements (V1.0 and V1.1). This requirement has been in the Baseline Requirements since at least V1.0. Maybe we should get organisations as webtrust to update their list of requirements so that it covers all the requirements from the CAB requirements? Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
