<snip>Lots of comments on audits. In brief, I suggest they be treated as "just another thing that some CAs might do" and not be given a class of their own.
> 12. The policy should take independent audits of CAs
"or, any other independent reviews" ???
I agree with this approach: We have two types of CA evaluations to consider:
1. Evaluations associated with independent reviews of CAs. This includes audits as a subset, but could also include any other independent evaluations that have been done for a CA and which are available for us to use.
2. Evaluations done "in house" by Mozilla folks.
As a general rule, the more independent evaluation that has been done, the less we may need to do ourselves.
Does that mean that if an audit is secret, then it will pass muster? That won't work - the public audit document or report should be the input, as anything that happens behind closed doors should be by default discounted (to zero in my book...).
I'm guessing that in the case of some independent audits we might not have any other information than that the CA passed the audit. (If I'm wrong all the better.) In that case we can certainly consider other publicly available information that might contradict the auditor's opinion. However I don't think it makes sense simply to discount the audit result in that case, particularly if the audit was done according to some published criteria and we have no reason to believe that the audit was done in a fraudulent or incompetent manner.
Frank
-- Frank Hecker hecker.org _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
