On Friday, 7 October 2016 21:11:01 UTC+1, Han Yuwei wrote: > About the auditor Ernst & Young (Hong Kong), I don't understand how did it(?) > involved this. Can someone explain that?
Management of a public CA are oblige to state periodically that they understand and obey various rules for operating a public CA. But how can we trust they do so? The management hire an independent _auditor_ usually from a professional services company like EY to verify that the statements from management are true. The auditor should undertake reasonable steps to satisfy themselves of the veracity of these statements, e.g. if the management says the CA is in a second floor steel and concrete building in Manhattan, the auditor can visit and see whether it seems to instead be a wooden barn in New Jersey. If the management says all issuances are authorised by two employees working together, the auditor can watch this being done one day and see if in fact only one employee does all the work. Mozilla believes that WoSign mis-behaved in ways that a competent auditor should have detected. This leaves open two possibilities, neither good for the local EY 1. They were not competent, their examination of the facts at WoSign fell short of what they should have done, it did not find the misbehaviour at WoSign because it was not sufficiently thorough. OR 2. They were dishonest, they knew or suspected that WoSign had misbehaved but chose to conceal this fact from readers of the audit report. In either case, this auditor cannot be trusted with other audit work, as it may do exactly the same thing again, which makes the audit pointless. Competent, honest auditors must be used for all audits. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
