I have a small clarification question here... > * an "independent party" can be someone "who is not affiliated with the > CA as an employee or director" and "is not financially compensated by > the CA".
I would sincerely hope that the direct and indirect costs of performing the audit (including travel expenses and labor) would be borne by the CA. If that could be modified to say "is not financially compensated by the CA in any fashion other than direct and indirect costs associated with the audit", that would be more appropriate (in my opinion). WebTrust certification forces the subject of the audit to pay for the auditing costs. -Kyle H On 2/17/06, Frank Hecker <[EMAIL PROTECTED]> wrote: > Gervase Markham wrote: > > And I don't know what Frank would say, but I'm not sure that a review > > from a single unqualified individual could meet the "WebTrust or > > equivalent" standard in the CA cert policy. > > The Mozilla CA certificate policy doesn't say anything about "WebTrust > or equivalent". What it does say is that > > * CA conformance must be attested to by "a competent independent party > or parties with access to details of the CA's internal operations"; > > * a "competent party" can be someone "for whom there is sufficient > public information available to determine that the party is competent to > judge the CA's conformance to the stated criteria", based on the party's > "knowledge of CA-related technical issues such as public key > cryptography and related standards; experience in performing > security-related audits, evaluations, or risk analyses; and honesty and > objectivity"; and > > * an "independent party" can be someone "who is not affiliated with the > CA as an employee or director" and "is not financially compensated by > the CA". > > If a CA were to propose someone who was not an actual professional > auditor authorized to do WebTrust or other formal audits, then that > person (or persons) would have to meet the requirements above, the CA > and/or would have to publish information regarding the person's > qualifications, and we could then debate within this group or in other > contexts (e.g., a relevant Bugzilla bug) whether the person was actually > qualified based on the information available. > > Frank > > -- > Frank Hecker > [EMAIL PROTECTED] > _______________________________________________ > dev-tech-crypto mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
