Paul Hoffman wrote: > I propose that we simply do not allow classified audits. Those two CAs > can get additional, non-classified audits if they want to be in the root > store. <snip> > If FubarSign came to us with a "classified" audit from a commercial > auditor, would we even consider it? > > Why should countries be different than commercial entities?
I actually think the issue is slightly different: How much detail do we need from an auditor's report? Note that a typical WebTrust audit report (the "WebTrust Audit Report and Management Assertions" document) doesn't go into full details about the results of the audit. Presumably the full WebTrust report (which might include the auditors' views on potential problems and recommendations for resolving them) is held confidential between the auditors and the audited CA. So the question is, if a government CA provided a statement roughly equivalent to the (public) WebTrust report, would that be sufficient for us? I think the answer is arguably yes, provided that we have the same general level of confidence in the organization doing the evaluation as we would with a typical WebTrust-authorized auditor. Clearly in the case of a totalitarian state we wouldn't have such confidence, so I think the North Korean example is a red herring. Per our policy we always reserve the right to bar a CA from inclusion if we think things are "hinky" (to use one of Bruce Schneier's favorite terms). Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
