[EMAIL PROTECTED] wrote: > This is a broader comment on the Mozilla CA policy. If the desire is > to include security reviews that are equivalent to a WebTrust audit, > then for reviews against technical standards like ETSI the policy > should require annual reviews as well as provide more detail on what > comprises a "Competent Party" (is it an auditor with professional > obligations, or simply someone who's been around the block?). >
When determining who is a "Competent Party", I would not put too much emphasis on whether he or she is a licensed or certified auditor. Auditors are generally focused on business practices, especially fiscal issues. Often, when I hear "auditor", I think "CPA". For over 30 years, I was a software test engineer working on systems for military space satellites, mostly as a third-party contractor with no connection to the software developer. I "audited" software systems to ensure they correctly implemented the documented, approved requirements. This included designing and running system-level tests as well as reviewing the software developer's lower-level test procedures and results. (There is no point in reviewing results if the procedures are worthless.) In the process, I would also reevalutate the requirements to make sure they still reflected actual user needs and wishes. I believe the key issues with certificate authorities relate to whether they are operating in a computer-based environment correctly. The technology issues outweigh the business issues. Thus, when determining who is a "Competent Party", we must be careful not to allow the "auditing" mislead us into looking for the wrong qualifications. -- David E. Ross <http://www.rossde.com/>. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
