On Sep 14, 2011, at 2:06 AM, SM wrote: > Hi Yoav, > At 11:41 13-09-2011, Yoav Nir wrote: >> Six months ago we would not have thought that Comodo or DigiNotar >> were easy to hack. In the latter case, the customers of DigiNotar >> were left out in the cold. Without > > "The DigiNotar partnership has laid down its security policy in > action protocols > and technical protocols. For safety reasons, these documents are > not publicly > available, which means that they are unavailable for inspection." > > "A regular audit is performed by an independent external auditor to > assess Comodo's compliance with the AICPA/CICA WebTrust program for > Certification Authorities." > > People get sloppy. Businesses get complacent. At the end of the > day, it is a business decision. >
It's all legalese to me. I can read 180 such statements (for the 180 root CAs in Microsoft's store) and not get a sense of which one is safe enough for me. I don't think the average site administrator (or whoever it is who buys certificates in your organization) has better information. Besides, they tend not to put too much thought into such a small expenditure. _______________________________________________ websec mailing list [email protected] https://www.ietf.org/mailman/listinfo/websec
