(In reply to comment #31)
> 1) Is Comodo's delegation of RA functions to third parties consistent with its
> CPS?
Yes and No and Maybe. See [1].
> 2) Is this kind of delegation consistent with the Webtrust audit guidelines?
Yes, provided the CA has appropriate requirements and controls in place. This was most likely not the case here.
> If yes, were the third party RA's audited?
The controls are audited, not the RA.
> And if not, is THAT consistent?
Mozilla may decide on additional requirements in this respect at any time.
> 3) Did Eddy's mozilla.com certificate work in MSIE before it was revoked?
Yes. Upon request the site is down now.
> 4) What response (if any) has Microsoft made towards this incident?
Microsoft is following this incident closely. Beyond that, I think you need to ask them directly (and request a public statement perhaps).
> If Comodo's CPS and Webtrust guidelines allow delegation of RA functions to
> unaudited third parties, that sounds like a gap in the guidelines, that should
> be addressed by the AICPA and in future audits of all enabled CA's.
I think that Comodo hasn't performed their duty according to what the WebTrust audit criteria requires. I believe that any additional requirements have to be decided at Mozilla (and its policy).
(In reply to comment #31)
> 1) Is Comodo's delegation of RA functions to third parties consistent with its
> CPS?
Yes and No and Maybe. See [1].
> 2) Is this kind of delegation consistent with the Webtrust audit guidelines?
Yes, provided the CA has appropriate requirements and controls in place. This was most likely not the case here.
> If yes, were the third party RA's audited?
The controls are audited, not the RA.
> And if not, is THAT consistent?
Mozilla may decide on additional requirements in this respect at any time.
> 3) Did Eddy's mozilla.com certificate work in MSIE before it was revoked?
Yes. Upon request the site is down now.
> 4) What response (if any) has Microsoft made towards this incident?
Microsoft is following this incident closely. Beyond that, I think you need to ask them directly (and request a public statement perhaps).
> If Comodo's CPS and Webtrust guidelines allow delegation of RA functions to
> unaudited third parties, that sounds like a gap in the guidelines, that should
> be addressed by the AICPA and in future audits of all enabled CA's.
I think that Comodo hasn't performed their duty according to what the WebTrust audit criteria requires. I believe that any additional requirements have to be decided at Mozilla (and its policy).
[1] http:// groups. google. com/group/ mozilla. dev.tech. crypto/ msg/416aa6f5b56 10ccf