On 12/30/2008 04:04 AM, Ben Bucksch:
So, who actually controls that verifications are done at all? I mean,
paper is nice, I can claim and write all I want, and not actually do it,
but I thought the point of the audit was to *check* and control and
ensure that the processes are *actually* carried out as specified. What
else is an audit for? To get the CEO's signature that he claims to do
what he wrote, or what? We don't need an audit for that, a scan of his
signature would do.
Verifications are the core of a CA's business, and the audit is there to
control the CA's *actual* operations by an *independent* party, because
it's exactly not sufficient to just trust the CA to do things properly,
or to trust the CA that it trusts its RA, without ever actually checking
it.
Apparently the auditors found a binding agreement sufficient enough for
resellers to perform those validations. This, in addition to random
checks and samples performed by the CA. The audit mostly confirms what
the CP/CPS claims.
This is most likely not what the Mozilla CA Policy envisioned and
requires. As a matter of fact, we could have known about it and
considered it insufficient during Comodo's review last spring.
Unfortunately even if it came up in some form, it drowned by the other
concerns which were on the table. We could re-read those discussions in
order to find out.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
