Re: Certigna Root Inclusion Request

Wed, 11 Feb 2009 17:06:34 -0800 

On 12/2/09 01:17, Eddy Nigg wrote:

On 02/12/2009 01:37 AM, Ian G:



Audit does an audit context. The two are different. Don't mix them; most
all audits are done according to defined audit criteria, such as
WebTrust or ETSI or DRC.


Yes, and Mozilla relies on them, period.




Yes, it's just another relying party to an audit opinion, just like any 
other user.  This means it gets to read the opinion.



It doesn't get to stipulate any conditions.  (Maybe it should, that's 
another story.)  Imagining conditions doesn't help.




Asking an auditor to sign off on random documents that have nothing to
do with the criteria, the audit world and the direct process raises
questions.


Right, that's why CAs MUST publish their CPS.




I agree this whole thing would go away if all CAs published their CPSs. 
 But reasons have been outlined why this is not the case, and Mozilla 
(/Frank) has decided that's OK.


It's their review, as you mentioned above.



I would claim that no (or few) auditors to date has been
asked to verify a CA according to Mozilla review.


Not "Mozilla Review", but if we want to facilitate other documents
beyond CSP than I have no problem accepting them if an auditor agrees to
confirm those documents. It's really not our problem.




Well, that depends on our metrics of success and efficiency.  For my 
part, I think it good to hold down costs and only add burden where there 
is a commensurate benefit.



If a CA provides a document, there is no commensurate benefit in asking 
the auditor to play notary for them.  Indeed, there is a benefit in 
asking them to provide documents "as is" knowing that a future auditor 
can read the submissions and verify the claims made.  And, as those 
provided documents are there and form part of the public record, there 
is plenty of scope for later verification.




PS: I for one would definately champion rewriting the WebTrust process
but this is not the way to do it.


PS: PS: Why not? Go for it. Talk to them.




lol.... I see you also have a copy of OSS's sabotage manual :)


iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto


























					Reply via email to