Eddy Nigg (StartCom Ltd.) wrote:
So personally I'm very much in favor of *opening* up the *audit* procedures and suggest / build a auditor profile and realistic requirements of the audit firm.
What makes you say that Webtrust's own criteria for what constitutes an acceptable audit firm are not "realistic"?
This would most likely result in more CAs (and not only StartCom) being able to issue certificates according to this guidelines and as some suggested "improve" the whole Internet...It would however also result in more transparency what auditing of the CAs concerns. (Or does anyone know how CAs are audited in first place? If not, so how does anyone know if it is sufficient?)
The Webtrust audit criteria, both for the normal audit and the EV one, are public. So we know how they are audited, and can come to a judgment about whether it is sufficient.
Actually membership isn't the most important thing at the CA/Browser Forum, but they demonstrated their attitude in the best way they could! StartCom doesn't need the membership, it needs to be able to issue the same certificates...
I suspect that one requires the other - at least, if you want your certs to be accepted as EV in IE.
Gerv _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
