Eddy Nigg wrote:
Well no, than any CA can write whatever it feels in such a document which would be entirely non-binding and not audited.
Yes in theory, but I'm not convinced that this is a real risk in practice. In the past we've had several cases where we've accepted public statements by CAs that went beyond what was in their CPS or CP. In some cases these were clarifications of CP/CPS langusge, in other cases they covered stuff that was not in the CP or CPS at all. In a number of cases the CAs updated (or committed to update) their CP/CPS to reflect their supplementary statements, and for purposes of our evaluation we accepted the statements in advance of their actually completing an audit against the new CPS.
So, again, I'm not prepared to make a blanket statement that we must always have a published CPS and cannot rely on documents apart from the CPS.
Frank -- Frank Hecker hec...@mozillafoundation.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
