If the information is critical for determining whether a CA's root
should be in the certificate store, then the document should be
audited.
In the case at hand, the issue is whether the root should be enabled
for E-mail validation. Because that issue is addressed in the CPS,
which we cannot see, we don't have any way to judge if the E-mail bit
should be enabled.
With an unaudited supplemental document, we would have no assurance
that
Certigna operates in compliance with that document. We should either
see an audit statement for the supplemental document or a
certification
from the auditor or other trusted outside party that the document
substantially echoes the audited CPS.
--
So What should we do ?
Should we ask our auditor a certified document about our practices for
e-mail validation ?
Yannick LEPLARD
Directeur R&D
Dhimyotis S.A.
20, allée de la râperie
59650 Villeneuve d'Ascq
tél. : 03 20 79 24 09
fax. : 03 20 34 20 52
www.dhimyotis.fr
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
