Gervase Markham wrote:
I do! I don't need them to decide for me which company is good for us and which not (Or do I really have to dig up some spicy stories about Ernst&Young or KPMG?), but they should build a profile and requirements for such auditor firms. Than a CA could choose the best for them...and pay in their own currency...Eddy Nigg (StartCom Ltd.) wrote:So personally I'm very much in favor of *opening* up the *audit* procedures and suggest / build a auditor profile and realistic requirements of the audit firm.What makes you say that Webtrust's own criteria for what constitutes an acceptable audit firm are not "realistic"?
Except that, do you *know* what the criteria is? But in any case, as long as this is in the hands of *one* body and four audit firms *worldwide*, it is certainly not realistic to start with....
The Webtrust audit criteria, both for the normal audit and the EV one, are public. So we know how they are audited, and can come to a judgment about whether it is sufficient.
Can you point me to the audit criteria for EV please?
Well, I would prefer to concentrate on Mozilla in this respect and leave IE to Microsoft for now...I think Mozilla should make sure, that all CAs in the Mozilla CA store will be able to issue EV certificates and receive the same treatment according to the Mozilla CA policy. Obviously the Mozilla CA policy was written and defined in such a way, that CAs don't *have to* use the webtrust monopoly...Actually membership isn't the most important thing at the CA/Browser Forum, but they demonstrated their attitude in the best way they could! StartCom doesn't need the membership, it needs to be able to issue the same certificates...I suspect that one requires the other - at least, if you want your certs to be accepted as EV in IE.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
