Re: subroots (was WISeKey)

Tue, 18 Nov 2008 10:45:28 -0800 

Ian G wrote:

Eddy Nigg wrote:

<snip>

Right. It was suggested to require a yearly audit or by other frequency.



Related to this point: I don't know if anyone's noticed this, but 
WebTrust seems to be getting clogged in terms of getting new audit 
reports out and published. I periodically do a web script that downloads 
reports from webtrust.org by number (so I catch all reports issued), and 
it seems like there aren't a whole lot of new reports coming out -- at 
least, I would have have expected to have seen more reports given the 
number of CAs out there supposedly doing WebTrust audits.



This is by way of saying that even if we required annual audit reports, 
it's not clear to me that CAs could produce them. There seem to be some 
bottlenecks in the CA audit realm, at least in the WebTrust case. I 
don't know if this is a problem with WebTrust specifically (i.e., 
central program administrators) or with the availability of 
WebTrust-authorized audit teams.



Yes, that is frequently suggested.  I don't know why anyone believes it 
will work.  I can sort of understand that everyone feels that if we just 
try harder and double the checks, it will be good, but surely we have 
passed the age of innocence by now?  Sarbanes-Oxley and all that.  More 
checking doesn't solve the issue, but it sure makes someone a lotta dosh.



Well, it doesn't make any extra money for me, or for the Mozilla 
Foundation :-) More seriously, I think the analogy to Sarbanes-Oxley is 
relevant, for reasons I've previously expressed.



That's what we had previously. Some easy-to-find flaws already have 
been detected (DigiNotar, Staat der Nederlanden). Those were just the 
ones we came across by chance, I don't even want to know about 
everything we don't know.


Can you describe those flaws for me or us?  Case studies are helpful.



Eddy's talking about cases where CAs issued certificates with email 
addresses but did not apparently validate control of those addresses by 
the applicant. These were fairly straightforward violations of our 
policy, and also were directly relevant to the intent of the policy to 
provide some base-level assurance relative to using certificates.


Frank

--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to