On 29.12.2008 19:04, Frank Hecker wrote:
So, in theory at least a WebTrust for CAs audit is supposed to confirm management's assertions that verification of subscriber information is being done properly, including any verifications done by third-party RAs acting on behalf of the CA. In practice such confirmation is not necessarily based on doing detailed investigation of each and every RA; it might instead be based on examination of the overall controls put in place to regulate RAs
So, who actually controls that verifications are done at all? I mean, paper is nice, I can claim and write all I want, and not actually do it, but I thought the point of the audit was to *check* and control and ensure that the processes are *actually* carried out as specified. What else is an audit for? To get the CEO's signature that he claims to do what he wrote, or what? We don't need an audit for that, a scan of his signature would do.
Verifications are the core of a CA's business, and the audit is there to control the CA's *actual* operations by an *independent* party, because it's exactly not sufficient to just trust the CA to do things properly, or to trust the CA that it trusts its RA, without ever actually checking it.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
