[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NEW Data type for certificate selection ?

To: "Ed Gerck" <egerck@xxxxxxxxxxxxxxxxxxx>, "Anders Rundgren" <anders.rundgren@xxxxxxxxxx>
Subject: RE: NEW Data type for certificate selection ?
From: "Phillip M Hallam-Baker" <pbaker@xxxxxxxxxxxx>
Date: Wed, 7 Oct 1998 10:16:04 -0400
Cc: <ietf-pkix@xxxxxxx>, <list@xxxxxxxxxxxxxxxxx>
Importance: Normal
In-reply-to: <>
Sender: owner-ietf-pkix@xxxxxxx

> The uncertainty reaches a point of almost uselessness, where CAs
> usually explicitly state in the certification contracts that the CA
> is exempt of all or almost all responsibility regarding the
> "certificate", its accuracy and its data. For example:

Taking one part of a contract in isolation is misleading. The VeriSign
contract has a 'disclaim all implied warranties clause', in other words
it states that the only warranties provided are those explicitly stated.

The explicitly stated warranty consists of NetSure insurance in a sum
that varies from $1,000 to $100,000 depending on the certificate
category. If necessary higher sums could be agreed. This is real
insurance underwritten by a leading insurer.


> As publicly declared by Phillip Hallam-Baker, a
> Verisign consultant, not only are the CPSs indeed different and
> self-made by each CA but they are not designed to be audited, either:
> "There is not as yet a defined standard for CA practices against
> which a company may be audited. In effect each company states their
> own practices in their Certificate Practices Statement (CPS). The CPS
> is not a document designed for auditing use however. It describes a
> 'specification', it does not describe details which may be checked by
> a third party in a systematic manner."

Here you are quoting me out of context. This was in the context of 
your argument concerning the use of a standardized audit statement. 

Taking off the cuff statements out of mailing list exchanges and
quoting them verbatim offline without checking the context seems 
somewhat odd behaviour.

I was arguing that before you could use 'audit statements' in the
manner you envisioned there had to be agreement on audit standards.
Work on audit standards for a CPS is taking place. It is thus entirely
misleading to take a specific objection to a specific use of auditing
for a specirfic purpose and conclude that no CPS can ever be audited.


Saying that a CPS issued by BongoCert Inc. may not necessarily prove
to be auditable is not the same as saying that 'A CPS is not designed
to be audited'. In fact a CPS can be designed to be auditable and
the ability to conduct an audit may be considered a quality differentiator
between CPSs.

Rather than 'does not describe' I would instead restate this as
'does not necessarily describe'.


The problem I believe I was having with your argument was that the
invocation of 'auditors' appeared to be used as a panacea as if the
statement 'I have been audited' translated to the conclusion 'He is 
trustworthy' without taking account of how the audit was performed,
who performed it and what the objective of the audit was.


			Phill

Follow-Ups:
- Common misconception #10. was RE: NEW Data type for certificate
  - From: Ed Gerck

References:
- RE: NEW Data type for certificate selection ?
  - From: Ed Gerck

Prev by Date: Re: DNS Name definition
Next by Date: Common misconception #10. was RE: NEW Data type for certificate
Previous by thread: RE: NEW Data type for certificate selection ?
Next by thread: Common misconception #10. was RE: NEW Data type for certificate
Index(es):
- Date
- Thread