On 11/16/2007 1:19 AM, Eddy Nigg (StartCom Ltd.) wrote: > Nelson Bolyard wrote: >> I agree that the questions you asked are the important ones to be >> answered. And I think Mozilla should require that the answers come >> straight from the auditor/accreditor, and NOT from the CA itself, >> as accepting papers from the CA provides too much temptation to forge >> such documents. >> >> But, How does paper improve this? >> > Paper is easier to handle from the legal point of view. If if it's > forged, one can prove even exactly that as well in a court much easier... >> Is it a matter is persistence, i.e. that Mozilla can rely on the papers >> even if the auditor's web site goes down? >> I would rather rely on a page from the auditor's web site than from >> papers received from the CA, purporting to be from the auditor! >> > As I tried to explain initially: > > Who: The company and responsible person(s) which signed the audit > (Something which can be verified with very little effort). > When: When was the audit performed and and signed. > Where:Where was the audit performed and signed. > What: What does it all include... > > Usually all the above is provided in the attestation by the auditor. And > most software (+browser) vendors require CAs to send in real paper. I > think Mozilla is the exception here. BTW, also the auditor web site can > go down at some point, leaving Mozilla with absolutely nothing... >
Somehow, I thought we were entering an era of electronic notaries and signatures. See, for example, <http://www.leginfo.ca.gov/cgi-bin/displaycode?section=gov&group=00001-01000&file=1-26> and <http://www.sos.ca.gov/digsig/digsig.htm> for how California has been handling electronic signatures by government agencies for a few years. -- David E. Ross <http://www.rossde.com/> Natural foods can be harmful: Look at all the people who die of natural causes. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
