Eddy Nigg (StartCom Ltd.) wrote:
Gervase Markham wrote:
Eddy Nigg (StartCom Ltd.) wrote:
So personally I'm very much in favor of *opening* up the *audit*
procedures and suggest / build a auditor profile and realistic
requirements of the audit firm.
What makes you say that Webtrust's own criteria for what constitutes
an acceptable audit firm are not "realistic"?
I do! I don't need them to decide for me which company is good for us
and which not (Or do I really have to dig up some spicy stories about
Ernst&Young or KPMG?),
No - but _we_ (Mozilla) do. We need to make sure that the audit firm a
CA uses is trustworthy to assess under the Webtrust guidelines. Who
better to decide that than the people who wrote the guidelines?
The Webtrust audit criteria, both for the normal audit and the EV one,
are public. So we know how they are audited, and can come to a
judgment about whether it is sufficient.
Can you point me to the audit criteria for EV please?
http://www.cabforum.org/WebTrustAuditGuidlines.pdf
Linked from the front page of cabforum.org.
Well, I would prefer to concentrate on Mozilla in this respect and leave
IE to Microsoft for now...I think Mozilla should make sure, that all CAs
in the Mozilla CA store will be able to issue EV certificates and
receive the same treatment according to the Mozilla CA policy.
I don't think that should be the goal. Because of the nature of EV (and
the additional resources and requirements necessary for doing the extra
validation) it may well be that there are some CAs who do not have the
resources to take it on, or cannot make a business case for doing it.
Saying that all CAs in the store should be able to issue EV is basically
saying "EV should be the same as what we have now".
I agree there should not be any unnecessary barriers.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
