On 2/18/06, Frank Hecker <[EMAIL PROTECTED]> wrote: > > I didn't envision this as being something that a person would just do as > an independent activity, with the Foundation in essence "certifying" > people to do this sort of work. It's more something that would be done > in the context of a particular CA and its application for inclusion, and > then only if a) the CA weren't doing a formal WebTrust audit (or similar > formal audit done by an authorized auditor), and b) the CA were willing > to grant the person in question the necessary access to its internal > operations. Thus far the only CA that's fit criterion (a) has been > CAcert, and they're still figuring out who they want to help them.
I figure that it'd be easier (for a CA) to deal with someone whose knowledge of cryptography and auditing procedures has already been tested and whose background has already been checked, when selecting someone to grant the necessary access to internal operations. This would provide a "jumpstart" on the process, as it would offer the possibility to eliminate the necessary wrangling over the "who to do it" decision. I'm also asking this because I'd like to know what kinds of testing procedures (for the proposed auditor) are going to need to be required. For example, I know more than I really care to think about about identity certification and CA operation, though I'm not as familiar with auditing. (From what I have seen, there isn't enough data obtained/retained by CAcert to be able to audit, but they seem to be undergoing some kind of internal deficiency determination/resolution, and I'd like to volunteer to assist them with at the very least the deficiency determination process.) Which brings up another point: If (as a volunteer) I assist CAcert in determining what records need to be kept for auditing purposes as well as help them write up their CPS (using only publicly available information, and no access other than email to the people who run the CA), would I become ineligible under the Mozilla Foundation's rules to actually perform the audit? Their draft CPS states that an audit may be performed by anyone other than an officer or Director of the incorporated entity, but I'd like some kind of clarification on what 'independent' really means to MoFo. Also, what is the deliverable of the audit? A report, or a report and a recommendation for or against inclusion, or what? (I would suggest merely a report, and let MoFo deal with the results. That way, there's a separation of privilege -- the auditor observes, the Foundation acts.) -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
