Kurt, I think both the past experiences of m.d.s.policy with incidents that went undetected by auditors, and my own personal experience (not as part of the Web PKI) with professional audit firms is that they're not strong on the sort of technical requirements that we've seen here.
If the rule says I ought to have annual meeting at which I must keep minutes, the auditors are likely to remember to ask to see the minutes and to identify "did not hold required meetings" as a problem. If the rule says I mustn't issue certs with a "foo" extension it's very unlikely the auditors will inspect any certs - let alone all of them - specifically to check for that extension. This is definitely a limitation that we need to keep in mind and which CAs themselves must keep in mind if relying on audits in their own business - as for example Symantec did. As a rule of thumb, audit is good at identifying certain types of policy problems but not effective for detecting criminality or bugs. If you want to detect those (and we do) you need other measures in place. That said, I would like to see feedback from CAs on why *they* missed this and what they've done to try not to be on the list next time something like this happens. They too need to be aware that passing audit is the low bar, if it's the extent of their goals then Mozilla's root programme probably isn't for them. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy