[EMAIL PROTECTED] wrote: > David would you be comfortable if all the 70+ CAs in the root store > dropped their well-regulated WebTrust audits and went with security > reviews like this one? That'd be fun to administrate. > > Part of the reason that Mozilla should want audits to be done by real > auditors is that those specialists have professional obligations over > the quality of their work. They screw up and their license is at risk > (never mind their insurance). That's simply not the case for reviews > performed by an IT consultant. > > When Mozilla relies on Verisign's WebTrust audit; it's KPMG that's > making the judgement call. > > In "equivalent" scenarios like this one, Mozilla is approving the > quality of both the review and the reviewer. In other words, Mozilla > is making the judgement and may be left holding the bag if there's a > problem.
An IT consultant whose expertise and integrity have been evaluated is better than an Enron or Worldcom auditor. I looked carefully at the WebTrust criteria when I was working on trying to certify CACert as a CA (before I was distracted by being appointed to my county's grand jury). They contain many redundant and irrelevant items relative to the trust issues that underlie root certificates, items that are likely very dear to auditors. The whole idea of Section 9 of the Policy is to provide for approving CAs (such as CACert) that are non-profit and don't have the resources to pay for an auditor. I found problems with CACert that it was fixing at the time I had to stop my effort. The person who took over the evaluation found new problems, which one reason why CACert withdrew its request for inclusion in Mozilla's root certificate database. So far, the use of IT consultants does seem to work. However, that use has only served to prevent the approval of root certificates. You should be prepared to express your concerns once an IT consultant's efforts indicate a root certificate should be approved. In the meantime, I'm not sure an IT consultant's review of a CA is any less rigorous or trustworthy than some government reviews that are being cited in another thread in this newsgroup (Subject: CAs and country restrictions). -- David E. Ross <http://www.rossde.com/>. Anyone who thinks government owns a monopoly on inefficient, obstructive bureaucracy has obviously never worked for a large corporation. © 1997 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
