Frank Hecker wrote [in part]: > > Let's take QuoVadis as an example. QuoVadis > is not currently officially WebTrust-audited. > > Instead QuoVadis's current state is as follows: > > * QuoVadis claims conformance to a set of Bermudan government > regulations relating to CAs: > > http://www.quovadis.bm/support/library/Bda_CSP.pdf > > and has been certified by the Bermudan government as meeting those > requirements > based on an audit conducted by Ernst & Young on behalf of the Bermudan > government. (The audit report is not a public document, so I can't > provide a link.) > > * Ernst & Young also did a separate audit to meet the Microsoft > requirement that the CA "provide an equivalent third-party attestation" > if it were not officially WebTrust-approved, and provided a letter to > QuoVadis and Microsoft containing such an attestation. The letter is not > a public document, so I can't provide a link (although I have seen a > copy of the letter). > > So, based on the QuoVadis experience I would tentatively define > "WebTrust-equivalency" as follows: > > * The CA claims conformance to a set of criteria equivalent to those > used in WebTrust > > * The CA's conformance to these criteria has been attested to by an > independent third-party (as opposed to the CA doing its own audit). > > * Optionally: The independent third-party in question is authorized to > perform WebTrust audits, and hence is qualified to render a judgement on > whether the CA is conforming to criteria equivalent to the WebTrust > criteria. > > My proposal therefore is that I extend the interim policy to also > approve requests from CA's meeting "WebTrust-equivalent" requirements as > defined above. > > Based on the information QuoVadis has supplied to me, I believe that > they meet those requirements, and under such an extended interim policy > I would be inclined to approve QuoVadis to have their CA certificate(s) > included in Mozilla. (My only reservation is that the E&Y letter > mentioned is not a public document.)
The most important question is whether the Mozilla Foundation has received a copy of the Ernst & Young letter from Ernst & Young itself. The copy could be received under an agreement that it remain outside the public realm. However, without the letter -- not from QuoVadis (which would be self-serving) but from Ernst & Young -- the CA would be approved on hearsay without any real substantiation. The fact that QuoVadis was audited by Bermudan government should carry only slight weight unless we have a good appreciation of the quality of that government and its freedom from corruption. Let's take a more extreme example: Would we trust CAs audited by the Nigerian, Iranian, or Russian governments or any of the governments in the Pacific islands that are spammer havens? (I'm not sure I would even trust CAs audited by the U.S. government given how military contracts for "rebuilding" Iraq were awarded.) -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
