On 4/8/2014 1:25 PM, Kathleen Wilson wrote: > I'm still conflicted about whether a Super-CA can audit their > subordinate CAs. And if they can, then what assurances do we have that > the audit was done in an unbiased manner and according to the criteria > that we require.
I expressed the same concern earlier. Having previously signed and vouched for its subordinate CAs, a Super-CA might have a vested interest in continuing to vouch for its subordinate CAs. Furthermore, having developed its CP, CPS, and audit process, a Super-CA might not realize weaknesses therein. Finally, few CAs (super or not) have professional experience in performing formal audits. -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy