Eddy Nigg (StartCom Ltd.) wrote: > Now this is exactly the issue I'm seeing here. Shouldn't have KPMG > confirmed the actual CPS against which the audit was performed? KPMG > confirms to have audited against a CPS which didn't existed at the time > of the audit and which wasn't valid in every respect including legally - > this is/might be a problem.
Here's my interpretation of what happened: KPMG audited against the True businessID CPS of July 27, 2007 (which is referenced in the KPMG audit report); Appendix A1 of that document addresses EV. GeoTrust subsequently consolidated the CPSs into the GeoTrust CPS dated January 31, 2008, with the EV stuff moving into Appendix A1 of that document. I've compared the documents side by side and Appendix A1 in the new CPS appears to be identical to Appendix A1 in the old document, even down to the formatting. KPMG then issued its WebTrust report on January 31, 2008, and referenced the new CPS (which has an effective date of the same day) as one of the documents by which GeoTrust had disclosed its practices (along with the older CPS). But as I understand it, the list of documents in the WebTrust report is simply a list of documents by which GeoTrust had disclosed its practices as of the date of the report; it does not necessarily imply that the document was used in the audit itself. And in the case of the GeoTrust audit there was another document that could have been and presumably was used in the audit, namely the CPS of July 27, 2007. > IMO, KPMG should have confirmed the CPS which was valid at the time of > the audit, with Verisign posting also the update of the current CPS > (Yes, policies and practice statements get updated from time to time. > I'm not sure if this could be an issue with the EV criteria I don't think it's an issue with the EV criteria. The final EV guidelines were issued in June 2007, in plenty of time for them to be reflected in the July 27, 2007 CPS. (And as I mentioned earlier the EV portion of the July 27, 2007 CPS is carried over without changes in the Jaunary 31, 2008 CPS.) Also, the final WebTrust EV criteria were issued in September 2007, and we've previously learned through other sources that WebTrust audits in process at that time were switched over to reference the new criteria. So as far as I can tell the KPMG audit of GeoTrust was an audit against the final WebTrust EV criteria using the final EV guidelines. > and if this > is the reason why they cared to explicit list a CPS which wasn't valid > at the time of the audit. The new CPS didn't exist at the time of the audit, but it did exist at the time of the audit report. KPMG therefore (and IMO appropriately) listed it as one of the documents by which GeoTrust disclosed its practices. As I noted above, that's not the same as stating that the audit was based on that document and no other. The bottom line: I think the way KPMG and GeoTrust wrote the audit report and the management assertions is unnecessarily confusing. However it doesn't appear to me that there were any irregularities or illegalities involved, and thus I don't think this is a material issue in terms of our evaluation of the GeoTrust request. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
