Frank Hecker wrote:
> So the question is, if a government CA provided a statement roughly
> equivalent to the (public) WebTrust report, would that be sufficient for
> us? I think the answer is arguably yes, provided that we have the same
> general level of confidence in the organization doing the evaluation as
> we would with a typical WebTrust-authorized auditor.
So, to summarise, we need:
A) An audit to an approved standard, listed in policy section 8
B) Performed by a competent and independent body in which we have
confidence, with criteria listed in policy section 9 and 10
C) Which makes a public statement to that effect
?
And there is no reason that the body in B) should not be a government or
government-appointed, as long as we continue to have confidence in them.
We are allowed to refuse any CA for any reason under policy section 4.
OK, I can buy that.
Gerv
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
