Kyle Hamilton wrote:
Erm... this might be a very stupid question (or it might have an extremely stupid answer), but why can't the companies involved ask the auditors to send the reports out to the vendors that they have relationships with, which would provide a direct means of verifying that the documents presented are indeed authentic?
They could, but usually it's the CAs we deal with directly (because they're the ones making the request), not the auditors, and usually the CAs send us the reports first. So usually we end up following up with the auditors to confirm that the reports are genuine.
You do make a good point though: in cases where the reports are not publicly available, we can ask the CA up front to have them sent by their auditor(s). I've added that to the "how to apply" document:
https://wiki.mozilla.org/CA:How_to_apply
(Furthermore, I think that this is an issue that should be brought to the folks in charge for a vote on organizational approval of this encouragement, if this is not something that you can speak for Mozilla on; if it is, I think that you should subtly strengthen that 'I encourage them to' to 'the Mozilla Foundation encourages them to'.)
Good point. I can speak for the Mozilla Foundation on this, so CAs should indeed consider my previous comments as "The Mozilla Foundation encourages them..."
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto