NSS

Comment 38 for bug 310999

(In reply to comment #31)
> 1) Is Comodo's delegation of RA functions to third parties consistent with its
> CPS?

Yes and No and Maybe. See [1].

> 2) Is this kind of delegation consistent with the Webtrust audit guidelines?

Yes, provided the CA has appropriate requirements and controls in place. This was most likely not the case here.

> If yes, were the third party RA's audited?

The controls are audited, not the RA.

> And if not, is THAT consistent?

Mozilla may decide on additional requirements in this respect at any time.

> 3) Did Eddy's mozilla.com certificate work in MSIE before it was revoked?

Yes. Upon request the site is down now.

> 4) What response (if any) has Microsoft made towards this incident?

Microsoft is following this incident closely. Beyond that, I think you need to ask them directly (and request a public statement perhaps).

> If Comodo's CPS and Webtrust guidelines allow delegation of RA functions to
> unaudited third parties, that sounds like a gap in the guidelines, that should
> be addressed by the AICPA and in future audits of all enabled CA's.

I think that Comodo hasn't performed their duty according to what the WebTrust audit criteria requires. I believe that any additional requirements have to be decided at Mozilla (and its policy).

[1] http://groups.google.com/group/mozilla.dev.tech.crypto/msg/416aa6f5b5610ccf