On 04.01.2009 19:54, David E. Ross wrote:
The line from auditor to the public has been drawn in the courts,
where lawsuits against auditors by investors injured by corporate
fraud have been successful.
Yes.
But as Ian pointed out, and you can see in the audit documents, e.g.
<https://cert.webtrust.org/SealFile?seal=798&file=pdf>, the assurances
and assertions made by the auditors are rather weak.
I don't know what the audits in the case of e.g. public stock companies
and IPO, which you probably refer to, assert, and whether certain
assertions are *required* by law, e.g. the rather strict US stock market
laws and regulations by the SEC.
Therefore, I'd say that we should mandate assertions by the CA audits
which are actually worth something, also in court. I.e. when the auditor
didn't do its job, it must be possible to sue him (and the CA) for
damages and win.
What I have seen in the last 2 weeks was extremely sobering. An audit
which doesn't check the actual verifications done by the CA is entirely
worthless.
See also "PositiveSSL is not valid for browsers", towards the end. I
think that CPS should never have passed the audit.
Ben
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto