I haven't ever required CAs to publicly disclose the number of RAs that they have.
> I still think that any RA must run through the same audit as the CA itself,
> given that the RA performs one of the two core functions of the CA
> ( a) validation and b) signing).
>
> I'd like all that to be formal and binding, in the policy documents. Which
> checks Comodo itself performs, which diligence. If there are any RAs, which
> requirements they have to meet, and how these are enforced.
In regards to RAs and Resellers the CP/CPS should include information about the procedures they are required to follow and how that is enforced and audited. I think that these questions about RA requirements and enforcement/auditing are reasonable questions to ask and have answered by the CA.
> Specifically: How many RAs do remain?
I haven't ever required CAs to publicly disclose the number of RAs that they have.
> I still think that any RA must run through the same audit as the CA itself,
> given that the RA performs one of the two core functions of the CA
> ( a) validation and b) signing).
>
> I'd like all that to be formal and binding, in the policy documents. Which
> checks Comodo itself performs, which diligence. If there are any RAs, which
> requirements they have to meet, and how these are enforced.
In regards to RAs and Resellers the CP/CPS should include information about the procedures they are required to follow and how that is enforced and audited. I think that these questions about RA requirements and enforcement/ auditing are reasonable questions to ask and have answered by the CA.