Jay Schiavo replies at the bug
https://bugzilla.mozilla.org/show_bug.cgi?id=407168#c24 with the following:
We did consolidate all our CPSs into one document. However, The EV sections
included in the CPS were copied over from the True business ID with EV CPS.
There were no changes to the EV procedures in the new document from what was
previously published.
Addiitonally, Please Note: *the latest WebTrust audit does refer to the
version
1.0, January 2008 CPS*:
https://cert.webtrust.org/SealFile?seal=650&file=pdf
<https://cert.webtrust.org/SealFile?seal=650&file=pdf> so
this should not be an issue.
Now this is exactly the issue I'm seeing here. Shouldn't have KPMG
confirmed the actual CPS against which the audit was performed? KPMG
confirms to have audited against a CPS which didn't existed at the time
of the audit and which wasn't valid in every respect including legally -
this is/might be a problem.
IMO, KPMG should have confirmed the CPS which was valid at the time of
the audit, with Verisign posting also the update of the current CPS
(Yes, policies and practice statements get updated from time to time.
I'm not sure if this could be an issue with the EV criteria and if this
is the reason why they cared to explicit list a CPS which wasn't valid
at the time of the audit. Updating a policy shouldn't be an issue for
Mozilla itself, provided that the minimum requirements and general
language are kept). With GeoTRust and Thawte audit reports the effective
dates are only after the 31st of January 2008...I really wonder how KPMG
and their lawyers confirmed such a thing...
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
