Gervase Markham wrote:
And I don't know what Frank would say, but I'm not sure that a review from a single unqualified individual could meet the "WebTrust or equivalent" standard in the CA cert policy.
The Mozilla CA certificate policy doesn't say anything about "WebTrust or equivalent". What it does say is that
* CA conformance must be attested to by "a competent independent party or parties with access to details of the CA's internal operations";
* a "competent party" can be someone "for whom there is sufficient public information available to determine that the party is competent to judge the CA's conformance to the stated criteria", based on the party's "knowledge of CA-related technical issues such as public key cryptography and related standards; experience in performing security-related audits, evaluations, or risk analyses; and honesty and objectivity"; and
* an "independent party" can be someone "who is not affiliated with the CA as an employee or director" and "is not financially compensated by the CA".
If a CA were to propose someone who was not an actual professional auditor authorized to do WebTrust or other formal audits, then that person (or persons) would have to meet the requirements above, the CA and/or would have to publish information regarding the person's qualifications, and we could then debate within this group or in other contexts (e.g., a relevant Bugzilla bug) whether the person was actually qualified based on the information available.
Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
