Eddy Nigg (StartCom Ltd.) wrote: > It seems to me, even so I believed that EV will change that, nothing > will change in that respect, specially the vetting of the issuing CAs.
In addition to Stephen's comments, I'll note that the EV guidelines specifically state (section J.35.c.1 on page 47): "During the period in which it issues EV Certificates, the CA and its Root CA MUST undergo and pass an annual (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit, or an equivalent for both (i) and (ii) as approved by the CA/Browser Forum. Such audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor." AFAIK "CA" in this context means "issuing CA" in the sense you've been using it, namely the CA that actually issues the end entity EV certs. So whether or not this is actually being done in practice, I think the EV guidelines are pretty clear that it is not sufficient merely for the root CA to be audited; the audit requirements extend to each and every subordinate CA issuing EV certs. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
