Here is my attempt to reword section 3.2 based on combining MRSP version 2.4.1 with version 2.7. My approach was to align the concepts of "competent", "independent" and "qualified" with their more-accepted meanings. Version 2.4.1 and earlier versions of the Mozilla Root Store Policy mixed some of these concepts together.
3.2 Auditors Mozilla requires that audits MUST be performed by a competent, independent, qualified party. The burden is on the CA to prove *establish* that it*s auditor* has me*e*t *s* the below requirements *below*. However*,* the CA MAY request a preliminary determination from us regarding the acceptability of the criteria and/or the competent, independent, qualified party or parties by which it proposes to meet the requirements of this policy. By "competent party" we mean a person or other entity *group of persons* who is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant agency) or for whom there is sufficient public information available to determine that the party is competent *has sufficient education, experience, and ability* to judge the CA’s conformance to the stated criteria. In the latter case, "Public information" referred to SHOULD include information regarding the party’s: - knowledge of CA-related technical issues such as public key cryptography and related standards; - experience in performing security-related audits, evaluations, or risk analyses; and - honesty and objectivity *ability to deliver an opinion as to the CA’s compliance with applicable requirements*. By "independent party" we mean a person or other entity *group of persons* who is not affiliated with the CA as an employee or director and for whom at least one of the following statements is true: the party is not financially compensated by the CA; the nature and amount of the party's financial compensation by the CA is publicly disclosed; or the party is bound by law, government regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA. By "qualified party" we mean a person or other entity or group of persons who meets *meeting *the requirements of section 8.2 of the Baseline Requirements. If a CA wishes to use auditors who do not fit the definition in section 8.2 of the Baseline Requirements, they MUST receive written permission from Mozilla to do so in advance of the start of the audit engagement. Mozilla will make its own determination as to the suitability of the suggested party or parties, at its sole discretion. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy