Frank Hecker wrote: > Nelson Bolyard wrote: >> Does Mozilla accept documents, *received from the applicants* (the CAs), >> that purport to be true copies of auditor's attestation documents, as >> being true copies of such documents, without any further proof? > > I don't think we've ever formulated a formal policy on this issue one > way or another. In this case the document in question (i.e., SwissSign's > certificate from KPMG) is IMO simply supporting documentation for > information already available from an independent source (i.e., SAS),
OK, I had not ascertained that there was independent confirmation from the info in the bug report. > so I am not as concerned about this issue as I otherwise might be. I agree. Thanks for the info that independent confirmation exists. > I think a similar procedure of independent confirmation is worth doing > in other cases where CAs provide documents like this, especially if the > document in question is the sole or primary source of information we > have relating to independent audits and evaluations. I think there should be a policy about this. There should be something in writing that requires that more proof be supplied than documents available exclusively from the applicant, IMO. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
