Le mardi 30 octobre 2018 18:30:11 UTC+1, Moudrick M. Dadashov a écrit : > Thanks for good overview. > I'd like to add some more. > Actually the most questionalble part of the chain is so called Supervisory > bodies. > Of course, root programs do not rely on SB assessment, but under eIDAS they > are authorised to audit TSPs and then publish National trust lists (as Scheme > operators under the Commission implementing decision 2015/1505). So anyone > relying on the list without sufficient care, should assume the adequate risk.
More precisely, SB have the duty to supervise Qualified TSPs, and maintain the TL (i.e. they're not just "authorized to" do that). And by law, whatever is contained in the EUMS-TL shall be trusted and accepted. If a SB publishes a TL where Honest Ahmed is a QTSP, European Relying Parties have no choice but accept that. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
