Eddy Nigg (StartCom Ltd.) wrote: > The change I proposed concerning CA applications and submission of the > relevant documents would solve this issue entirely. In the meantime I > suggest for to always attach the audit papers to the bug. > Concerning the document SwissSign provided I think it's genuine, > confirms the criterion's used and is signed by seal and names of the > auditors. I also uploaded it to the bug for future reference.
With the scanned copy of the document in hand, I could now produce a forgery showing that that same auditor had certified *ME* as having passed the audit. It would appear to have the same seal, same letterhead, etc. Or I could forge a certificate for Mickey Mouse! Of course, checking with the auditor to confirm the veracity of the document would disprove it. My point is that some sort of checking or confirmation from the auditor MUST be required, except in cases where the document's authenticity and origin are provable (e.g. if the document is digitally signed with a cert that traces up to a CA not under the applicant's control). _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
