David Ross wrote:
The most important question is whether the Mozilla Foundation has
received a copy of the Ernst & Young letter from Ernst & Young
itself. The copy could be received under an agreement that it
remain outside the public realm. However, without the letter --
not from QuoVadis (which would be self-serving) but from Ernst &
Young -- the CA would be approved on hearsay without any real
substantiation.
I don't think this makes much difference. Most audits are shrouded in secrecy, the full reports are generally confidential, and the published letters are often so full of equivocation that one wonders why anyone pays any credence to them.
If Ernst & Young are named, and this is a public forum, about the best one can expect is that they'll notify us if QuoVadis is lying (an unlikely scenario). If you badger them a lot, you might get a letter that says that they did the checkup, and it passed. But they won't say much more than that. You can achieve the same thing by phoning up the partner's office in Bermuda and asking, if you are concerned. An auditor will generally confirm the basic thrust of the result over the phone. Take notes and report on the list - if they lie to you over the phone then that's as good as if they produce a bogus piece of paper.
The fact that QuoVadis was audited by Bermudan government should
carry only slight weight unless we have a good appreciation of the
quality of that government and its freedom from corruption. Let's
take a more extreme example: Would we trust CAs audited by the
Nigerian, Iranian, or Russian governments or any of the governments
in the Pacific islands that are spammer havens? (I'm not sure I
would even trust CAs audited by the U.S. government given how
military contracts for "rebuilding" Iraq were awarded.)
Politics aside, from my one brush with agencies of the Bermudan government, I can suggest that they will look after their own. No more. But, that doesn't seem to be any different with any other government, so I think I'm in agreement with you - the checkup by the Bermudan government is about as useless or useful as the Ernst & Young audit.
iang
PS: just to establish the context, I think an audit is somewhere between practically useless and a WOFTAM for the current purposes. We are on our own here. You will see what I mean in the next post. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
