On 22/03/2016 19:16, Peter Bowen wrote:
Over the last year or so there seems to be a lot of movement in CA
ownership. Would it be worth asking for each root to provide an
indication of company/organization ownership?
For example, NetLock indicates on their website they were acquired by
Docler Holding in 2013. Similarly, TrustWave says they are now part
of SingTel. These are not reflected in the CA list today.
Thanks,
Peter
I agree that this is critical information for trust purposes, as there
might be conflicts of interest in any given user situation.
For example, a certificate from SingTel/TrustWave would provide no
protection against actions by Singtel (imagine if the user is using
SingTel as ISP, and needs assurance that a https connection was not
intercepted by said ISP). It would remain a perfectly good protection
if the ISP was anyone else.
Similarly a certificate from Docler/NetLock would provide no proof
when checking the veracity of a signed e-mail presented as evidence by
Docler Holding in some business matter.
Note that both examples above are hypothetical, I am not accusing
either company of misusing its ownership of either CA to issue false
but genuine certificate for their own business purposes. Equivalent
hypothetical examples can be constructed for every CA imaginable.
On the other hand, such ownership provides a *higher* trust when a
certificate was issued to a parent or sister company, as the CA
presumably would use in-house evidence to double check any such
certificate before issuing it.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
