Paul Hoffman wrote: > I thought the topic of this tread was: > >> There are currently two CAs who have applied for inclusion in the NSS >> store but their audits were done by their respective governments and are >> classified, and/or they are directly controlled by those governments. > > If it is classified, that means we do not have access to the information > in it; that's the part we are talking about.
I should have been more clear. What we have, in the Korean case, is a letter from the government which confirms that the organisation has been audited to WebTrust standards. https://bugzilla.mozilla.org/attachment.cgi?id=258631 (we'd presumably need a copy of that directly from MIC!) This is how they got into the Microsoft root store. I assume we could get a similar letter from the French; I think I had one once, but I can't find it now. They have said: Auditor: Secretariat Général de la Défense Nationale - General Secretariat of National Defence, which acts as the French national security authority Audit Document URL(s): confidential (classified) >> Our trust restriction is based on where the auditor has authority to >> pronounce a set of procedures "good enough". The Korean government has >> authority to do so for Korean companies. > > OK, now you're saying that their audit is not as good as a WebTrust > audit. I'm not saying that; I'm asking if it actually matters whether it's as good or not as good, given that the (the government) are the people who decide in Korea what is a business and what isn't, and so on. As it happens, the MIC (Korean ministry) asserts in the letter linked above that their audit is WebTrust-equivalent. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
