On 2/10/2009 8:16 PM, Frank Hecker wrote: > David E. Ross wrote: >> On 2/10/2009 12:06 PM, Frank Hecker wrote: >>> If you cannot publish the CPS because it contains private information, I >>> suggest as an alternative that you provide some sort of official >>> Certigna document that summarizes the portions of the CPS that are of >>> most interest to us (i.e., those relating to validation of subcriber >>> information). > <snip> >> However, not only should they provide some alternative documentation but >> also that documentation should be considered during the required audit. > > My assumption was that if the material in the document was based on the > CPS then it would have been covered in the audit, since presumably the > audit was based on what was in the CPS. > > Frank
If the information is critical for determining whether a CA's root should be in the certificate store, then the document should be audited. In the case at hand, the issue is whether the root should be enabled for E-mail validation. Because that issue is addressed in the CPS, which we cannot see, we don't have any way to judge if the E-mail bit should be enabled. With an unaudited supplemental document, we would have no assurance that Certigna operates in compliance with that document. We should either see an audit statement for the supplemental document or a certification from the auditor or other trusted outside party that the document substantially echoes the audited CPS. -- David E. Ross <http://www.rossde.com/>. Don't ask "Why is there road rage?" Instead, ask "Why NOT Road Rage?" or "Why Is There No Such Thing as Fast Enough?" <http://www.rossde.com/roadrage.html> -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
