One way to deal with the "paid independent third party" approach is to simply have the party(s) declare how much was paid. This will probably raise some eyebrows, but I can't think why this wouldn't work.
Well, I don't think E&Y or KPMG are going to be willing to send me their invoices, but I think this approach is worth considering for CAs that take the "plan B" approach and use an evaluator that's not an accounting firm, government-authorized test lab, etc. This also addresses the question of how we'd determine things like whether expenses paid to a volunteer evaluator were "necessary and reasonable".
You didn't suggest possible language for the next draft, but here's some:
8. By "independent third party" we mean a person or other entity who
is not affiliated with the CA as an employee or director, and for
whom at least one of the following statements is true: * the party is not financially compensated by the CA;
* the nature and amount of the party's financial compensation by
the CA is fully and publicly disclosed; or
* the party is bound by law, regulation, and/or a professional code
of ethics to render an honest and objective judgement regarding
the CA.Thoughts?
Frank
P.S. Note that I will probably publish draft 9 tomorrow; I have one other significant change I am considering, as noted in my next message.
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
