From my perspective, it's a CA's job to ensure competent verification of certificate requests. The auditing required for CAs is supposed to prove it.
The verification task is the most important task. All people and processes involved should be part of the assuring audit. The current Mozilla CA Certificate Policy says: "6. We require that all CAs whose certificates are distributed with our software products: ... provide attestation of their conformance to the stated verification requirements ..." In my opinion, it means, a CA must do this job themselves. The policy currently does not appear to handle the scenario where a CA delegates the verification job to an external entity. So it's unclear whether it's "forbidden" or "allowed if the external entity has received equivalent attestation of their conformance". In my personal opinion, a CA violates the Mozilla CA Certificate Policy if they delegate the verification job to an external entity not owning "attestation of their conformance to the stated verification requirements". If we'd like to be strict, we could remove CAs from our approved list if they have shown to be non-conforming in the above way. In any case, the CA policy should get clarified about involving external entities in the verification and issueing process. All existing CAs should be required to make a statement about their current businesspractices with regards to external entities. After a grace period all CAs must either stop using external entities, or get "conformance attestation" for all involved entities.
Kai
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto