The change I proposed concerning CA applications and submission of the relevant documents would solve this issue entirely. In the meantime I suggest for to always attach the audit papers to the bug. Concerning the document SwissSign provided I think it's genuine, confirms the criterion's used and is signed by seal and names of the auditors. I also uploaded it to the bug for future reference.
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 Frank Hecker wrote: > Nelson Bolyard wrote: > >> Does Mozilla accept documents, *received from the applicants* (the CAs), >> that purport to be true copies of auditor's attestation documents, as >> being true copies of such documents, without any further proof? >> > > I don't think we've ever formulated a formal policy on this issue one > way or another. In this case the document in question (i.e., SwissSign's > certificate from KPMG) is IMO simply supporting documentation for > information already available from an independent source (i.e., SAS), so > I am not as concerned about this issue as I otherwise might be. > > However the certificate lists the names of two KPMG employees (Reto > Grubenmann and Alain Beuchat), and Mr. Grubenmann's contact information > is available on the kpmg.ch web site. I've therefore sent him a note and > asked him to confirm that this is indeed a genuine KPMG document. > > I think a similar procedure of independent confirmation is worth doing > in other cases where CAs provide documents like this, especially if the > document in question is the sole or primary source of information we > have relating to independent audits and evaluations. > > Frank > > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
