Ian Carroll <[email protected]> writes: >There are many statements about M of N, HSM access, etc which do not appear >to be relevant to this issue.
That's not specific to e-Tughra though, that's standard for CAs where what gets audited is all the fancy security mechanisms around the CA's private key(s) and what barely, or not at all, gets audited is the various RAs that pull the CA's strings. Years ago I saw a cartoon lampooning a certain country's defence policy which had lifeguard-style flags set up on a piece of open ground and a sign between them saying "Please attack between the flags". With CA's it'd be "please audit between the flags". Not defending or criticising e-Tughra, just pointing out that this isn't their fault, it's How CAs Are Done. Peter. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/SY4PR01MB62510BA262F566151A7641F3EE139%40SY4PR01MB6251.ausprd01.prod.outlook.com.
