On 14/2/09 02:15, Eddy Nigg wrote:
On 02/13/2009 11:46 AM, Ian G:
Don't fixate on the title. CAs generally have some set of documents that
are internal / not published, and some set of documents that are
published. If someone like the WebTrust people come along and say "CPS
must be published" then the CPS gets thinner and some other document
gets fatter...
Might be true.
... (but many times I prefer not
to disprove your claims as it serves me other interests).
Perhaps you could share those other interests with all?
If I've been interested doing so I would have done so before, no? But to
give you a hint,
Always nice to inject a hint of drama and scandal ... but also ironic
that this conversation is about forcing a business to disclose its
decidedly private matters :)
it's goes along the sames lines that SSL certificates
costs thousands of dollars in order to enrich the CAs.
No scandal there!
It's a bit
similar with audits...true, audits are expensive, they are nowhere a
cheap thing (certificates may be too), but there have been numbers
thrown around which aren't anything near reality either.
Well, the auditing business is a bit entrenched. It is considered by
the outside population to be akin to a magic charm, the wonderful touch
of an angel, sanctification of the business. Inside it's a bit more
like Bismark's sausages, if you don't know what you're buying you might
not like the way it is made.
So, let's hear your numbers then? It would be very important for the
people here to understand the *cost* of what they ask of CAs and to
evaluate that against the *benefit* they receive.
I have no firm numbers. I've heard one quote, around 70k euros for an
automatic fail in webtrust compatible, and twice that if wanting the
formal webtrust.
(These above are hearsay.) Actual firm numbers on my activities are
provided here, following the policy:
http://wiki.cacert.org/wiki/AuditBudget . But don't take them as
indicative of the industry, they are strictly outliers, IMHO.
David wrote, and you supported:
* All documents supplied as evidence should be publicly available and
must be addressed in any audit.
Yes, sure. We probably can't accept a document coming out of the blue,
otherwise lets get rid of the audit requirement then...
Actually you can, and you should.
1. A document provided by the organisation is strong evidence, that's
why all docs are uploaded into bugzilla. It is physical, it retains
itself over time, it has a time attached, it is a serious disclosure,
and it tells the story. The next auditor will find it very interesting
that such a disclosure has been made on request by a relying party, and
if notified that it is "interesting" can include it in the review (far
more effectively, I would say). The fear of a future auditor will
control that document far more effectively than the presence of a
current auditor :)
2. If you use your auditor like a notary, then expect notarial results
(talking here of european notaries, not anglo notary publics).
But, this discussion is over, and we'll work with the results.
All of it, but specially the last part.
Dunno == "don't know." Common slang, sorry, comes of a poor education
and liberal upbringing.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
