© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
(In reply to comment #31)
> 1) Is Comodo's delegation of RA functions to third parties consistent with its
> CPS?
Yes and No and Maybe. See [1].
> 2) Is this kind of delegation consistent with the Webtrust audit guidelines?
Yes, provided the CA has appropriate requirements and controls in place. This was most likely not the case here.
> If yes, were the third party RA's audited?
The controls are audited, not the RA.
> And if not, is THAT consistent?
Mozilla may decide on additional requirements in this respect at any time.
> 3) Did Eddy's mozilla.com certificate work in MSIE before it was revoked?
Yes. Upon request the site is down now.
> 4) What response (if any) has Microsoft made towards this incident?
Microsoft is following this incident closely. Beyond that, I think you need to ask them directly (and request a public statement perhaps).
> If Comodo's CPS and Webtrust guidelines allow delegation of RA functions to
> unaudited third parties, that sounds like a gap in the guidelines, that should
> be addressed by the AICPA and in future audits of all enabled CA's.
I think that Comodo hasn't performed their duty according to what the WebTrust audit criteria requires. I believe that any additional requirements have to be decided at Mozilla (and its policy).
[1] http://