> --- Comment #39 from Nelson Bolyard > (In reply to comment #38) > >> Would it be possible to provide us with a URL or document of >> the audit attestation by the auditor? >> > > I believe that should be (is?) a requirement. > Ideally it would be a URL from the auditor's web site. > As I have mentioned previously on this list and in private, for various reasons I'd like to suggest to change the procedures and the process of CA root requests to require an official request made by the CA in real paper by registered postal mail, which would include the most important details of the CA, the x.509 certificate and fingerprints (in paper) and the attestation of the auditor in original form (the later could be returned to the CA after scanning and copying). The audit papers could be attached to the bug eventually...
There are various reasons for this in my opinion, being it from a legal point of view and as a way to verify the keys and audits accordingly. I think it's less than sufficient to point to some web site which has a vague description about what the audit may or may not have entailed (if at all). *Who, when, where* and most important *what* has been signed? What does it confirm and what not? -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
