NSS

Comment 35 for bug 310999

I guess obvious questions that the investigation should address are:

1) Is Comodo's delegation of RA functions to third parties consistent with its CPS?

2) Is this kind of delegation consistent with the Webtrust audit guidelines? If yes, were the third party RA's audited? And if not, is THAT consistent?

3) Did Eddy's mozilla.com certificate work in MSIE before it was revoked? Does it -still- work in MSIE?

4) What response (if any) has Microsoft made towards this incident?

If Comodo's CPS and Webtrust guidelines allow delegation of RA functions to unaudited third parties, that sounds like a gap in the guidelines, that should be addressed by the AICPA and in future audits of all enabled CA's.

If Comodo's CPS allows this delegations and the audit guidelines (which presumably included a review of the CPS) do not, then Comodo's auditor has something to answer to.

If the CPS doesn't allow the delegation and Comodo did it anyway, then that situation needs to be fixed, and I don't see a way other than a new audit to confirm that it's fixed.

I like Sam Johnson's suggestion (comment #30) of a separate intermediate CA cert for each RA. The other issues (my fault for bringing them up on this thread in the first place) are probably better discussed elsewhere.