On 28/12/08 12:13, Kai Engert wrote:
From my perspective, it's a CA's job to ensure competent [stuff].
OK.
The auditing required for CAs is supposed to prove it.
This might be a bit too strong. Let's look at that.
What audits do is confirm criteria, and provide an opinion that the
criteria are met, according to the opinion of the Auditor [1].
Now let's look at some of the limitations or caveats or bugs in that
process:
1. It is up to you to read the criteria and decide if they are
appropriate to your needs.
2. It is also up to you to decide whether the opinion letter is "good
enough" whatever that means.
2.b. And, it is also up to you to investigate and understand the
various languages and procedures that an Auditor uses, customarily, to
weaken an apparently strong claim.
3. It is also up to you to check that the Audit verifies the Mozilla
policy. I don't know, but my understanding was that Audits are
generally done to WebTrust or ETSI criteria, and not to the policy.
There would need to be a specific comment from the Auditor to say that
the policy was included in scope.
Has anyone here read the opinions and confirmed inclusion of the policy
in the audit opinions?
4. It is also up to you to decide whether the Auditor has
characteristics that speak highly of the opinion. Without getting into
that debate, suffice to say, the singularity of the process is a
weakness in and of itself.
Where does this get us?
It should be clear that Audits don't "prove" anything. At all. If you
take an audit to prove something then *you have made a mistake* ;
although we might agree that that this is a mistake that many people are
comfortable for you to make, and they are unlikely to correct you in.
The question is more likely placed as whether you can rely on an Audit.
If you get through all the above, your answer is probably "maybe." If
you have a friend in the business, feel free to pose this question to
them. Ask around, get some opinions.
(And, if we accept the above, if you don't get through all of your above
checks, how can your answer be any better than "maybe" ?)
Perhaps more broadly, we could ask whether we as a community get any
benefit from an audit at all, given the rather drastic nature of an
individual "maybe." I think the answer is yes, cautiously: it probably
ensures that a CA is up to a known and reasonable level of practices [2].
So, at least we know where a CA is "likely" at, once they've passed
their audit. Whereas before, we would be simply relying on advertising,
which is hopeless.
The good news is that we can actually cover a lot of these weaknesses by
moving to more open disclosures. The Internet has given us wonderful
opportunities to move more information more reliably, something that is
not factored into current Audit thinking.
So it may not be a huge issue that classical Audits have flaws (c.f.,
they are not perfect, nor prove what you want) as long as we look at
where the flaws are found in practice and identify ways to use the open
source approach to overcome those flaws [3].
iang
[1] disclosure, I work as an auditor
[2] I am ignoring costs analysis here, so it may be that the benefit
described does not return on investment.
[3] we sometimes call this open governance.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
