On Thu, Mar 19, 2015 at 4:39 PM, David Keeler <dkee...@mozilla.com> wrote: > On 03/19/2015 01:01 PM, Peter Bowen wrote: >> Given this ratio, I find it very hard to believe that they would be >> able to receive an audit report without qualifications that Mozilla >> would deem unacceptable. > > Maybe I'm misinterpreting what you're saying, but did you mean > "acceptable" here?
No, I meant acceptable. I am confident that E-Guven could get an audit report, but the auditor would list a number of "qualifications" (e.g. exceptions). Mozilla has indicated in the past that certain qualifications/exceptions are acceptable. In this case, I highly doubt that Mozilla would find the qualifications/exceptions listed in the report to be acceptable. For example, based on what you reported and what I saw, the audit report should at a minimum say: E-Guven complies with the Baseline Requirements with the following qualifications: - Some certificates issued do not conform to 9.2.1 - Some certificates issued do not conform to 9.2.4(d) - Some certificates issued do not conform to 9.2.5 - Some certificates issued do not conform to Appendix A Do you think these qualifications are acceptable? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
