Frank Hecker: > I don't think it's an issue with the EV criteria. The final EV > guidelines were issued in June 2007, in plenty of time for them to be > reflected in the July 27, 2007 CPS. So as far as I can tell the KPMG audit of > GeoTrust was an audit against the final WebTrust EV criteria using the > final EV guidelines. > What I meant is, if the EV guidelines require the listing of the CPS against which the audit was performed explicit and if in case of an update of said CPS a re-audit/confirmation or similar must be performed. Which could explain why this CPS was explicitly listed in order to make it a valid audit. > > The new CPS didn't exist at the time of the audit, but it did exist at > the time of the audit report. KPMG therefore (and IMO appropriately) > listed it as one of the documents by which GeoTrust disclosed its > practices. How can a CA disclose its practices based on a CPS which didn't exist at the time of the audit? The audit report is the summary and confirmation of said audit... > As I noted above, that's not the same as stating that the > audit was based on that document and no other. > No? If I read correctly this is however exactly what it says:
We have examined the assertion....disclosed in its CPS dated January 31, 2008. In our opinion, for the period July 2007 through November 2007.... Like: In the period 2007...has disclosed in the CPS dated 2008...Shouldn't it be the other way around, first disclose, then audit according to the disclosed information... :-\ > The bottom line: I think the way KPMG and GeoTrust wrote the audit > report and the management assertions is unnecessarily confusing. Yes, and most likely unneeded. I've also read already your reply at the bug and to this list, so I'm not going to argue about your examination and decision. My job is/was to make you aware of eventual irregularities. As I mentioned in the first post, I only scratched at the surface of this inclusion request by looking at the entry at http://www.mozilla.org/projects/security/certs/pending/#GeoTrust . The date of the CPS immediately jumped to my eye, like "WOW, that's pretty fast, how did they perform and confirm an audit already?" Confirming the date of the CPS and the audit statement in the actual documents triggered my post, which is IMO exactly what I should do and have done. BTW, this is the way I process information concerning inclusion requests usually, starting from the "Pending" page and bug entries and work myself through the documents as far and until I find something or not. For EV audits I'm not investing the same amount of time as with other requests, assuming that the EV criteria and audit guidelines cover most already. So I usually just review the obvious information if it's an EV request. Of course this is not true, if the same root issues also non-EV certificates. So much about me picking on details such as these... -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
