Frank Hecker wrote: > In terms of audits associated with "EV-ness", I'm a little unclear on > what other documents need to be referenced. Section J of the EV > guidelines spells out the high-level audit requirements: basically > either go through the WebTrust EV process or a process deemed as > equivalent by the CAB Forum. There's a document "WebTrust for > Certification Authorities - WebTrust Extended Validation Audit Criteria" > on the CAB Forum web site; however it's marked as draft and the > guidelines themselves don't mention it by name AFAICT. (The guidelines > instead use the term "WebTrust EV Program".)
I believe that the two things are supposed to be equivalent; the different language is just sloppy drafting. As I understand it, this document is going to be finalised soon. > My initial conclusion is > that we don't need to reference the WebTrust draft document, but can > confine ourselves to referencing the relevant section(s) of the guidelines. Without an audit, how do we assure compliance? One of the big advantages of EV is that we have a minimum standard for vetting that is actually enforced by audit - i.e. we don't have to assess the vetting practices of every CA (even if they would tell us what they were), because someone else has done it for us. It seems to me that it makes sense to leverage that, by saying that our criteria for EV enablement is a passed WebTrust EV Audit. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
