Frank Hecker wrote: >> But doesn't it imply - in this case - an AICPA audit. To all of my >> knowledge it does, hence my suggestion to add it as a valid criteria. >> > > I think I understand what you mean here: Are you saying that the > WebTrust EV criteria in effect incorporate the traditional WebTrust > criteria by reference, since a WebTrust EV audit has as a prerequisite a > regular WebTrust for CAs audit? > Bingo! > This is a subtle point, and one that could be argued both ways IMO. The > relevant statement in the WebTrust EV document reads: "WT EV Audit > Guidelines are to be used only in conjunction with the Principles and > Criteria in the WebTrust Program for Certification Authorities. CAs that > wish to issue EV Certificates must first go through a WT audit and then > a WT EV audit." I don't read that language as implying "incorporation by > reference", but it is indeed clear that you can't have a WebTrust EV > audit without a WebTrust for CAs audit. (For example, it wouldn't make > sense to have an audit against ETSI TS 101 456 and then try to do a > WebTrust EV audit as a supplement to that; presumably no > WebTrust-authorized auditor would agree to do this.) > That's the case right now... > >> Also in your own words you say that it's a supplement and not a >> replacement. In my opinion an EV audit *extends* the traditional >> criteria and *implements* EV. >> > > I'd agree with that statement. > > After thinking about it, if we want to reference the WebTrust EV > criteria in section 8, I think the best way to do this would be to add a > final item to the list in section 8 as follows: > > We consider the criteria for CA operations published in any of the > following documents to be acceptable: > > ... > > * "WebTrust for Certification Authorities - Extended Validation Audit > Criteria" in <a href="...">WebTrust for Certification Authorities - > Extended Validation Audit Criteria</a> (in conjunction with > "WebTrust Principles and Criteria for Certification Authorities") > > (Note that the item in quotes is the relevant section within the > linked-to document of the same title. Compare this usage to other items > in the section 8 list.) > > I think the above language clarifies that the WebTrust EV audit criteria > don't stand on their own but imply use of the standard WebTrust > criteria as well. > > Your thoughts? > +1
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
