On 02/10/2009 06:30 PM, Ian G:
a. Time. There is always some element of change between the last audit
and current practice. Audits are "snapshots of the past" not proofs over
the present nor future.
So far correct.
And, there is an expectation that audits are
repeated over time, the new guy has to have something to work with.
Correct, but it's not audited - whatever it is.
Also, factor in 40 week + distro delays, and consider asking CAs to sit
on their hands for a year or so.
No, did anybody suggest that and where?
b. The emphasis of the audit is over whether management has put in place
policies and procedures, sticks to them. Any check over particular
activities is not there to "audit those activities in themselves" but to
provide evidence of the policies and procedures in general as a reliable
guide to the reading public.
No, that statement is basically bullshit :-)
Particular activities are audited including evidence of the specific
policies and procedures.
d. Having said that, a specific audit criteria may state a check is
needed on X. One would have to go back and read WebTrust to see if it
has a criteria on X==codesigning. That still doesn't change the other
issues, but it may give you something to "rely" on when it comes to
codesigning specifically.
Wrong! If the CPS doesn't mention code signing than it's not audited. No
samples of those procedures are taken by the auditor either. Audits
pretty much confirm what the CA claims to do.
That's my view at the moment, I'm looking forward to others!
Audits are very specific and you can forget about the "general"
references. As such we have precedence in this respect (in particular
code signing).
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
