Frank Hecker wrote:
The main issue with T-Systems is that they are not WebTrust audited, but they have been certified for compliance with the German Digital Signature Act. I'm not personally familar with how the requirements of this act compare to the WebTrust criteria, and therefore I don't know if this would satisfy the "WebTrust-equivalent" requirement. If any of you know more about this please post a comment in the bug above.
(I just posted the below in two tranches to the bugzilla system, but I'm not totally confident I have it nailed, so excuse the repost here.)
In order to compare the two regimes it would be necessary to state with some certainty what it is that WebTrust achieves, and I don't think this is possible in objective terms. Or, at least I've not seen any objective statement of what MF demands of the WebTrust regime, and its place is more justified on "historical evolution."
So any comparison would have to be subjective.
Having said that, I suspect that this is easy enough in this specific case, because the German law follows the regulated model for Digital Signature Acts.
In digital signature laws there are (as a gross simplification) two "models" being the highly regulated one and the permissive one. The latter is the easiest one to write about and understand: it simply states that a signature that is created digitally is not denied the status of a signature purely because it is digital.
This is no bad thing, as it extends the signature and allows it to be considered on its merits in a dispute, which is what we want. However, it adds nothing to a question of whether a CA using that form is comparable to a WebTrust audited CA, the precise question today.
The other model, the regulated model, is often referred to as the Utah model. This model is comparatively heaveyweight and much closer to WebTrust. In this model, a CA can be licensed by the state, and must take on obligations and responsibilities. As long as those obligations and responsibilities are serious, then one could make a subjective judgement that this is as sufficient as WebTrust, for the purposes of Mozilla (I'm writing this trying to avoid stating that WebTrust itself represents the necessary goal...).
Doing a bit of googling I found the link below, which is an analysis of the 1997 law passed in Germany. The appropriate text is also below as a useful summary of Mozilla's interests.
On the basis of that, my "vote" would be for adding the T-Systems root cert, if they can confirm that they are licensed by the state under the provisions of the Act, and subject to Duties and Obligations outlined below.
A simple letter to that effect would seem like sufficient due diligence. Anything more would probably lead to needing the legal eagles to pass muster and an "opinion" and that is way beyond the scope of Mozilla Foundation's activities and position on liability.
iang
http://www.droit.fundp.ac.be/textes/addendum.pdf
(3) Duties and Obligations
The DSA provides, inter alia, for the following obligations:
Article 5 states that the CA will have to reliably establish the identity of persons applying for a certificate as well as information concerning their professional status.
The CA must issue certificates and take measures to prevent undetected forgery or manipulation of data as well as to ensure confidentiality of private signature keys.
The CA will notify the applicants of the measures necessary to support secure digital signatures and their reliable verification.
Article 8 contains an obligation concerning the invalidation of certificates where the owner of a signature key requests it, when the certificate was obtained through certain false statements. It should be noted that the DSA does not address the issue of whether the CA should be required to provide a full 24-hour service for invalidating certificates.
(4) Liability
Unlike other laws or proposals, the DSA does not address liability issues. Legal comments argue that regulation has been postponed until more consensus has been achieved about which kind of rules should be established. Therefore, at the moment, the general liability rules shall apply. In case of tort liability, this means that a with-fault liability regime will be applicable.
The licensed CA, as described above, has the statutory obligation to issue certificates and to establish and maintain a database of revoked certificates. Thus, the CA should assume responsibility for the accuracy, the updating and completeness of its certificates and database vis a vis its own subscribers.
The criteria of duty of care would seem to be a good one. However, because of the technical issues surrounding the certification process, it will be very difficult for consumers to prove the lack of care of the CA in the issuance of a certificate. Consequently, we suggest that the onus probandi should be reversed. This means that it should be sufficient for the damaged subscriber and third party to assert that the CA did not exercise sufficient care in the carrying out of his obligations and it will be up to the CA to evidence the contrary by proving the satisfaction of the requirements set out in the DSA and Ordinance.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
