Frank Hecker wrote:
Frank Hecker wrote:
I've created a new draft 0.8 of the Mozilla CA Certificate Policy:
http://www.hecker.org/mozilla/ca-certificate-policy
Currently I am considering making the following changes from draft 0.8
to draft 0.9:
I agree with all the above suggestions (snipped).
* Clause 8: For evaluators who are not, e.g., accounting professionals
or government-authorized test labs we require that they "[have] no
financial or contractual relationship with the CA". But what if a
volunteer wanted to assist a CA with an evaluation, and the CA wanted
to reimburse the volunteer for any expenses incurred as part of the
evaluation? The clause as written would seem to prohibit such
arrangements, since it would arguably constitute a "financial
relationship".
Ok, this is a tricky one.
I didn't intend to rule out such arrangements (which IMO are
acceptable), ...
This added phrase in turn introduces a possible ambiguity: As written
the proposed revised clause would seem to permit the "independent
third party" to be affiliated with the CA as long as they are "bound
by law, regulation, and/or a professional code of ethics to render an
honest and objective judgement regarding the CA". This reminds me of
Ian's comments about trusting internal evaluations of CAs in cases
where there's some law or regulation (e.g., Sarbanes-Oxley) that might
cover such evaluations.
I don't know whether to tolerate this ambiguity or eliminate it (i.e.,
by extending the "not ... affiliated with the CA" requirement to cover
all cases). I welcome your thoughts on this issue and on the other
changes proposed above.
One way to deal with the "paid independent third party"
approach is to simply have the party(s) declare how much
was paid. This will probably raise some eyebrows, but I
can't think why this wouldn't work.
The amount of money that we are talking about is actually
a very useful number. Here's why. In the accounting world
of audits, a basic standard audit costs a basic standard
amount of money. But, if the audit is "difficult" then the
money goes up. If the audit is "dodgy", add more money.
As audits are a competitive business, what happens is
that one can always find an audit, but one finds that the
price can be high. Now, obviously all parties cover this
up with words and bluster, but simple economics rules -
if you want an auditor to deliver you an audit when it
isn't prudent to do so, expect to make a non-trivial
contribution to the partner's future well being.
So one thing you could do is to simply state that the fee
charged for all audits is public. (I'm going to skip over the
obvious aspects and complaints for now). Then, when
David Ross for example does his sterling work on CACert
and asks for $200 to cover some expensese and some
paper costs, he simply lists that, and we can look at that
as a signal - that's a figure to cover some expenses.
OTOH, if DodgyDan listed that he got $20,000 for the same
job, eyebrows would rapidly ascend to orbit, and we'd treat
that as a suspicious signal. DodgyDan could then be better
off lying, and saying it was for $200. But even then we are
better off, as information that is supposed to be public has
a way of leaking out...
(Having said all that, this is FOOD FOR THOUGHT... I
recognise that no professional auditor is going to like
this approach. To which I'd strongly suggest you ask
why! But that's another argument for another day ;)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
