Re: CAs and external entities (resellers, outsourcing)

Tue, 30 Dec 2008 05:35:14 -0800 

Ian G wrote:

Which language suggests they have to do verification *themselves* ?



The fact that the policy talks about a CA, and I didn't see talk about 
external entities.



BTW, it would be quite problematic to insist that the CAs do this job 
themselves.



CAs are not generally experts on the issues raised. Traditionally, CAs 
outsource the processess within verification to a range of different 
organisations: government registries, commercial credit agencies, 
credit card companies, passport offices, birth registries, etc. That 
is, to insist they "do it themselves" would mean that they would have 
to develop skills that might be better handled elsewhere, and might in 
the end reduce to moving the deckchairs around.



Yes, it seems reasonable that a CA relies on external sources of 
information like the ones you mention.



If the CA has obtained information from registry offices like the above, 
the CA should be able to conclude "verified" on their own. It's a first 
hand decision.



In my understanding, what we have experienced here was a second hand 
decision. Some external entity claimed to have done verification. The CA 
relied on that and treated it as sufficient. That's the bug.



In my opinion, if a CA wants to delegate the decision about correctness 
of verification to an external party, they must verify the business 
practices of that external party, requiring the same sense of duty. And 
my proposal is, as part of this test, the external party should go 
through the same kind of audit that Mozilla requires for CAs.



As I see verification as the core intention of the CA principle, I would 
have assumed above requirement is obvious to everyone, at least to CAs 
themselves.



However, to turn it into a criteria or policy point, you would need to 
much more clearly refine your point, *and* you should clearly relate 
it to how this will improve security. I suggest this is much tougher 
than it sounds.



I'm not talking about improving security. I want to ensure we forbid 
lowering of verification quality through the backdoor.



My point is, we must find a way to ensure the purpose of the CA audit 
can not become void. We should forbid the practice to delegate the core 
of verification to external entities with unknown sense of duty.


Kai




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to