WebTrust is an accounting entity; it's just a process formalism that allows companies like KPMG to "audit" CAs. I went down that rabbit hole and found the WebTrust standards document:
The technical material in these documents is about FIPS compliance for hardware crypto, key size, and backup/restore; in other words, the exact same stuff you'd read in a Common Criteria document, utterly divorced from actual operational or code security. Compare to the new PCI-DSS standard: on paper, it is actually harder to process an individual VISA card than it is to run a CA.
Neither document contains the letters "M-D-5" or requires serial numbers to be randomized. However, the majority of CAs do randomize serial numbers, suggesting a best practice that simply isn't included in the industry's CA certification standard.
The link you provided to the Bugzilla report on adding GeoTrust/RapidSSL is almost offensive; it reads: "we got audited by KPMG, here's our address", "ok, fill out this document", "ok, we'll add you to the next release".
I'm surprised and a bit skeptical that every CA (except for one) randomizes serial numbers without it being published in a standard or guidance document somewhere. Best practice usually has something worse than a (n - 1) distribution.
was the "one" in those articles? I didn't see. Anyway, who do you trust to buy certs from? I need to get a new one soon and would like recommendations.
http://www.cica.ca/download.cfm?ci_id=45239&la_id=1&...
The technical stuff starts on page 34. The intro to the document claims that the WebTrust CA standard is loosely based on RFC2527:
http://www.ietf.org/rfc/rfc2527.txt
The technical material in these documents is about FIPS compliance for hardware crypto, key size, and backup/restore; in other words, the exact same stuff you'd read in a Common Criteria document, utterly divorced from actual operational or code security. Compare to the new PCI-DSS standard: on paper, it is actually harder to process an individual VISA card than it is to run a CA.
Neither document contains the letters "M-D-5" or requires serial numbers to be randomized. However, the majority of CAs do randomize serial numbers, suggesting a best practice that simply isn't included in the industry's CA certification standard.
The link you provided to the Bugzilla report on adding GeoTrust/RapidSSL is almost offensive; it reads: "we got audited by KPMG, here's our address", "ok, fill out this document", "ok, we'll add you to the next release".