David would you be comfortable if all the 70+ CAs in the root store dropped their well-regulated WebTrust audits and went with security reviews like this one? That'd be fun to administrate.
Part of the reason that Mozilla should want audits to be done by real auditors is that those specialists have professional obligations over the quality of their work. They screw up and their license is at risk (never mind their insurance). That's simply not the case for reviews performed by an IT consultant. When Mozilla relies on Verisign's WebTrust audit; it's KPMG that's making the judgement call. In "equivalent" scenarios like this one, Mozilla is approving the quality of both the review and the reviewer. In other words, Mozilla is making the judgement and may be left holding the bag if there's a problem. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
