On 11/19/2008 03:56 AM, Ian G:
Yes, and at a technical level I don't see an issue. At a
legal/liabilities level I see an open question: who is taking on the
liability, how is it shared, etc.
...and I might add, how are the basic requirements of the Mozilla CA
Policy governed...
I also thi
Frank Hecker wrote:
Ian G wrote:
One way to short-circuit this is to simply state that the root CA is
responsible for any/all subroots. So this would imply that the root
CA's policies and audit drill down through the subroots, and they
apply. Then, it would be up to the root auditor to dec
On 11/18/2008 08:40 PM, Frank Hecker:
This is by way of saying that even if we required annual audit reports,
it's not clear to me that CAs could produce them.
Microsoft made it a requirement and you might ask them how it goes. But
there are many CAs supported by MS, apparently they are capab
On 11/18/2008 08:12 PM, Frank Hecker:
Not to speak for Ian, but I interpreted his comments as follows: We can
add more provisions to the policy to address particular situations, but
what do we ultimately gain in terms of enhanced security for end users?
It's like adding more and more provisions
Ian G wrote:
Eddy Nigg wrote:
Right. It was suggested to require a yearly audit or by other frequency.
Related to this point: I don't know if anyone's noticed this, but
WebTrust seems to be getting clogged in terms of getting new audit
reports out and published. I periodically do a web scr
Eddy Nigg wrote:
On 11/15/2008 06:29 PM, Ian G:
Either way we look at it, I feel that the more controls are put in
place, the more we end up putting in "paper fixes" and the more we
complicate things for a gain that we don't fully understand.
I don't perceive it as such at all. What do we no
Ian G wrote:
IMHO, the policy has served remarkably well, and of
course issues will arise with more experience.
I wouldn't go so far as to say "the policy has served remarkably well".
However I think it has served as a useful document in terms of providing
a context for our discussions, has
Eddy Nigg wrote:
On 11/15/2008 06:29 PM, Ian G:
I agree it is an issue that we should try and
clarify, if not nail down.
Sounds good!
One way to short-circuit this is to simply state that the root CA is
responsible for any/all subroots.
This is the situation we had until recently, with CA
On 11/15/2008 06:29 PM, Ian G:
I agree it is an issue that we should try and
clarify, if not nail down.
Sounds good!
One way to short-circuit this is to simply state that the root CA is
responsible for any/all subroots.
This is the situation we had until recently, with CAs under their own
Frank Hecker wrote:
We've had some lengthy discussions about the issue of auditing
subordinate CAs. I'm not going to rehash all those discussions, I'll
just summarize my current thinking:
First, the general issue of auditing subordinate CAs was something we
didn't think through much when we d
10 matches
Mail list logo