On 09/03/17 13:32, Ryan Sleevi wrote: > (Wearing Google hat only for this statement) > Have you considered having this discussion in the CA/Browser Forum? Google > had planned to discuss this very topic at our upcoming F2F about how to > address this, and would be very interested in collaborating with Mozilla on > this. I mentioned this recently to Kathleen at the WebTrust TF meetings, > but apologies for not mentioning to you as well.
This sounds like a good idea. Do we want to get this added in an open slot? There may still be time. > I'm not sure that we can or should so easily dismiss this with a suggestion > that we're dancing on the head of a pin here. That's not quite what I'm saying; I'm saying that my position could be seen as that (making very fine distinctions), and it possibly is. > I don't understand why you > believe it's relevant the act of "Mozilla requiring disclosure of the > audits". Can you help me understand where, in the policy, that's required? I'm not sure where your text in quotes comes from, and nor can I work out the referent of "it", so I don't understand this question. > I agree that removing the conflicting definition of qualified auditor is > likely a suitable outcome, and a much welcome improvement, but I do think > we owe it to the community to provide a greater degree of clarity then > currently provided by this thread about the expectations related to such > audits, both to the qualifications and the independence aspects. Surely requiring the auditor to be qualified in all cases will provide that clarity? I've filed https://github.com/mozilla/pkipolicy/issues/63 . Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy