On 12/12/08 07:51, Kyle Hamilton wrote:
Erm... this might be a very stupid question (or it might have an
extremely stupid answer), but why can't the companies involved ask the
auditors to send the reports out to the vendors that they have
relationships with, which would provide a direct means of verifying
that the documents presented are indeed authentic?
Not a stupid question; there is no easy answer.
The problem is partly the structure. In CA audits, the CA requests the
audit of the auditor. So the CA is the paying body, and the CA
specifies the criteria and purpose, and is the body to whom the audit is
delivered.
In other auditing contexts, the audit is commissioned by a 3rd party for
their benefit. I think CC works this way. If it were done this way,
Mozilla would commission the audit, for its benefit, and would receive
the report.
In the practical sense, I think Frank has solved it in the How To, point 4.
It does rather underscore the oddity of the situation. The audit report
says very little, it is quite boilerplate. So Mozilla is depending very
heavily on the presence of the auditor, and not on the report itself.
Along those lines, it would make more sense if Mozilla requested the
audit directly of the auditor, and then specified what was interesting
to Mozilla, and got a report on its interesting aspects.
(I'm not proposing such a drastic change, just a though experiment.)
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
