Nelson Bolyard wrote: > I agree that the questions you asked are the important ones to be > answered. And I think Mozilla should require that the answers come > straight from the auditor/accreditor, and NOT from the CA itself, > as accepting papers from the CA provides too much temptation to forge > such documents. > > But, How does paper improve this? > Paper is easier to handle from the legal point of view. If if it's forged, one can prove even exactly that as well in a court much easier... > Is it a matter is persistence, i.e. that Mozilla can rely on the papers > even if the auditor's web site goes down? > I would rather rely on a page from the auditor's web site than from > papers received from the CA, purporting to be from the auditor! > As I tried to explain initially:
Who: The company and responsible person(s) which signed the audit (Something which can be verified with very little effort). When: When was the audit performed and and signed. Where:Where was the audit performed and signed. What: What does it all include... Usually all the above is provided in the attestation by the auditor. And most software (+browser) vendors require CAs to send in real paper. I think Mozilla is the exception here. BTW, also the auditor web site can go down at some point, leaving Mozilla with absolutely nothing... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
