Ian G wrote: > On 14/1/09 15:35, Michael Ströder wrote: >> David E. Ross wrote: >>> On 1/3/2009 6:51 PM, Ian G wrote: >>>> It was written: >>>>> But aren't auditors the eye of the public performing and recording >>>>> those >>>>> operations? >>>> That's one theory. Here is another: Who is the client of the auditor? >>>> The auditor has a duty to the client that (arguably) outweighs the >>>> duty to anyone else. >>>> >>>> You might not agree to the above characterisation. But, try this test: >>>> can you draw a line from the auditor to the public? >>>> >>> The line from auditor to the public has been drawn in the courts, where >>> lawsuits against auditors by investors injured by corporate fraud have >>> been successful. >> >> But unfortunately this likely does not apply to IT security audits. > > I would agree with that. In my conflicted opinion [1], but from some > research: > [..long notes deleted which I agree with..] > Who's going to sue a big4 auditor because their opinion sucks? How > much luck do they have in the financial sphere on this question, anyway?
That's exactly the point. And the auditor is most times payed by the CA (or any other organization) he audits. The only way for Mozilla to enforce its policy is to possibly remove trust flags in case of known violation of the Mozilla CA policy. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
