On 6/04/2014 05:46 am, coderman wrote: > On Mon, Mar 31, 2014 at 3:33 PM, ianG <i...@iang.org> wrote: >> ... >> In some ways, this reminds me of the audit reports for compromised CAs. >> Once you know the compromise, you can often see the weakness in the >> report. > > are these public reports? such a collection of compromise reports > would be informative. (if you've got a list :)
They are published, typically. Audits are made available to the vendor community, and some vendors have taken the hint and insisted that they be posted and available for public scrutiny. However they are buried. Firstly, they are not collected in any particular one place. The best is probably Mozilla's list of audit reviews, in which you can follow the links of each post-for-review (and you get to comment on the post when it is play) but certainly until recently this list was not complete, many roots were grandfathered in. No other vendor reports on its ueber-CA activities that I know of, but sometimes the auditors' associations publish the reports (WebTrust had a very gappy list at one stage). Secondly, they use the internal language of audit, and one could be mistaken in assuming they are written to speak to other auditors, only. Thirdly they are full of audit-semantics. Together, these are unfortunately hard to distinguish from industrial grade CYA. Fourthly, they are commissioned by the CA, for the CA, of the CA, not for you, nor written with you in mind. There is a false expectation that the public can rely on auditor's reports, but this only applies to formal audit reports in a financial reporting context. Beyond that, it's ... open to question. So typically, you are not entitled to rely on an auditor's report, and while they'll accept you have that fallacious impression, you can be sure they'll fight it in court and win. Oh, and fifthly, they are dryer than a Mars rainfall survey. iang http://financialcryptography.com/mt/archives/001126.html Audit burial customs in 7 parts. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography