Frank Hecker:
First, DigiNotar first submitted its request several months ago, at a
time when its EV audit would have been current had I processed
DigiNotar's application in a timely manner.
...and you would be today in a situation where you would have to remove
this CA already from EV status.
I'm not inclined to penalize DigiNotar for my own delays.
No, you only adhere to your own criteria. Who do you penalize here
really (if they don't have an updated audit and not conform to the EV
criteria)? Just adding them to have them removed?
First, based on my experience a lot of CAs have experienced delays in
getting their EV audits completed and published.
So? (Sorry for being nasty, but I want to get my point through to you ;-) )
I'm guessing that this
has been primarily due to the large number of CAs wanting to get EV
audits, and the limited number of auditors available to do them. You may
also recall that the first batch of EV reports was not published on the
webtrust.org site, apparently due to delays by the AICPA/WebTrust folks
and/or the various auditors in setting up arrangements to incorporate EV
reports into the standard WebTrust SealFile system.
The seals are not required. We need the audits. Apparently auditing
works without problems...
So in general I've been willing to give CAs some leeway in terms of the
audit dates, and see no reason not to do so in this case.
Some leeway is fine, but don't forget that we need to be in sync at some
point (better before FF3 gets out). I see a reason to insist this time
because the audit is very old in terms of EV. They've got KPMG next
door, so I don't see a reason why this should be a problem (and I know
what I'm talking about). And you won't be alone, MS will pull their EV
status as well if they haven't already (assuming there is no updated
audit, otherwise all is fine).
--
Regards
Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>
Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]>
Blog: Join the Revolution! <http://blog.startcom.org>
Phone: +1.213.341.0390
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto