Eddy Nigg wrote:
On 02/11/2009 07:19 PM, Yannick LEPLARD:
So What should we do ?
Should we ask our auditor a certified document about our practices for
e-mail validation ?
Yannick, what are the chances to publish the CPS? Please note that all
CAs which have been included into Mozilla NSS during the last few years
published their CPS, this is common practice.
To add to Eddy's question: If there is Certigna-confidential information
in the CPS that is not relevant to the questions we have, you could
publish a version of the CPS with the confidential material redacted [1].
Another alternative is to publish just those portions of the CPS that
address the question of email verification, and have your auditor
confirm to us that the section(s) in question are from the CPS that was
referenced in your audit.
Frank
[1] For anyone interested, the US National Security Agency has published
a useful set of guidelines for how to properly redact Microsoft Work
documents published as PDF files:
http://www.fas.org/sgp/othergov/dod/nsa-redact.pdf
--
Frank Hecker
hec...@mozillafoundation.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
