Hi Gerv, Gervase Markham wrote: > One of the big advantages of EV is that we have a minimum standard for > vetting that is actually enforced by audit - i.e. we don't have to > assess the vetting practices of every CA (even if they would tell us > what they were), because someone else has done it for us. > > It seems to me that it makes sense to leverage that, by saying that our > criteria for EV enablement is a passed WebTrust EV Audit. > I just would like to remind you about the promise made at the beginning of this year (at and after the conference call), that Mozilla will work at the CAB forum for alternative (and definition of equivalent) third party audit other than webtrust and/or implement its own alternative binding for Mozilla products only.
Since the guidelines for the EV audit are published in addition to the EV guidelines for CAs themselves, capable audit firms could perform this task without the CA having to use a webtrust accredited auditor. This should only have an affect on the choice of acceptable auditors and not reduce the value of EV and the audit itself. The EV policy extension could be the place for such a definition. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
