Gervase Markham wrote: > Eddy Nigg (StartCom Ltd.) wrote: > >> Is there a way to have them commit to that in some way or form? And what >> if they'll just say: "Well, we looked at it and it's not possible" after >> you already voted in favor? >> > > I think it's rather unlikely that they would say that, given that we > (i.e. Frank) have done our own analysis of equivalence and they are > pretty similar. > > This work will take some time, and we don't think it's correct to hold > up the approval of version 1.0 over this issue. I understand that it will take some time and effort, and I didn't expect it to be part of the Guidelines right now. Some sort of formal or informal commitment, to which Mozilla could refer in future might be fine. I think, that the statement from the previous mail - *to separate the WebTrust EV audit criteria out, so that other auditors could audit against them* - would pretty much reflect and be in line with the nature of Mozilla as an organization and the Mozilla CA policy, which was specifically created by Frank and the community to allow that type of openness.
Gerv, maybe you want to update the page at http://wiki.mozilla.org/User:Johnath/EVDraft13ReviewComments in that respect? Because it says currently: /The representatives from WebTrust and the audit firms also said that they were going to do an equivalence analysis between WebTrust and ETSI to see whether one could do an WebTrust EV Audit on top of an ETSI audit./ This is certainly not the same, if you compare both statements. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
