David E. Ross wrote: > On 11/25/2007 8:01 AM, Eddy Nigg (StartCom Ltd.) wrote: >> David, secret or confidential audit statements are not accepted by >> Mozilla as far as I know. > > > On further analysis, the second bullet under #6 in the policy needs to > make clear that the CP and CPS must be public. Allowance could be made > where content normally expected in either document is instead elsewhere, > but that "elsewhere" must then be public. The current phrasing of that > bullet leaves too much room for interpretation. > I don't think so really....:
"*publicly disclose* information about their policies and business practices (e.g., in a Certificate Policy and Certification Practice Statement);" How more public should it be? I think the policy is pretty clear about that point... > Also, the fifth bullet under #6 of the policy should make clear that the > required attestation must be available directly from the attester. The > policy is not sufficiently clear that, while a copy of the attestation > from the CA might be useful, it cannot be accepted as authoritative Yes, I have suggested already a change to current practice by Mozilla. It's common practice by software vendors to require the audit statements and other information in hard copy with the information about who, where ,when and what signed. I think there is general agreement on this list to improve this aspect of the CA root acceptance process. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
