Proposal of wording for the definition of *equivalent* (was: The EV draft states auditing by WebTrust or *equivalent*.)
Copied from the *Mozilla CA Certificate Policy (Version 1.0)* at http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html without permission. *Proposal:* 1. Equivalent means to provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations. 2. By "competent party" we mean a person or other entity who is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant government agency) /or/ for whom there is sufficient public information available to determine that the party is competent to judge the CA's conformance to the stated criteria. In the latter case the "public information" referred to should include information regarding the party's * knowledge of CA-related technical issues such as public key cryptography and related standards; * experience in performing security-related audits, evaluations, or risk analyses; /and/ * honesty and objectivity. 3. By "independent party" we mean a person or other entity who is not affiliated with the CA as an employee or director /and/ for whom at least one of the following statements is true: * the party is not financially compensated by the CA; * the nature and amount of the party's financial compensation by the CA is publicly disclosed; /or/ * the party is bound by law, government regulation, and/or a professional code of ethics to render an honest and objective judgement regarding the CA. 4. We reserve the right to designate our own representative(s) to act as the competent independent party or parties described above, should that prove to be necessary and appropriate. 5. The burden is on the CA to prove that it has met the above requirements. However the CA may request a preliminary determination from us regarding the acceptability of the criteria and/or the competent independent party or parties by which it proposes to meet the requirements of this policy. -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
