Nelson Bolyard wrote: > Eddy Nigg (StartCom Ltd.) wrote: > >> The change I proposed concerning CA applications and submission of the >> relevant documents would solve this issue entirely. In the meantime I >> suggest for to always attach the audit papers to the bug. >> Concerning the document SwissSign provided I think it's genuine, >> confirms the criterion's used and is signed by seal and names of the >> auditors. I also uploaded it to the bug for future reference. >> > > With the scanned copy of the document in hand, I could now produce a > forgery showing that that same auditor had certified *ME* as having > passed the audit. It would appear to have the same seal, same > letterhead, etc. Or I could forge a certificate for Mickey Mouse! > Sure. My point is, that even if the document is forged it would be used in court against whoever did the forgery... > Of course, checking with the auditor to confirm the veracity of the > document would disprove it. My point is that some sort of checking or > confirmation from the auditor MUST be required, except in cases where > the document's authenticity and origin are provable (e.g. if the document > is digitally signed with a cert that traces up to a CA not under the > applicant's control). > Yes, this might be a good practice (and new to the industry altogether).
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
