Frank Hecker wrote: > John Nagle wrote: >> 2. CertStar must separately undergo an audit to WebTrust standards, >> and the audit report must be published. > > Certstar isn't a CA, and thus the WebTrust for CAs criteria are not > necessarily a good fit for it.
If a CA delegates some tasks to a RA the RA, probably a department and not the whole company, should be certainly part of the CA audit as well. > (Plus the expense of a full WebTrust for > CAs audit is likely an order of magnitude higher than Certstar's > probable revenues.) It's Comodo's business decision whether they delegate some tasks to an external RA or not and whether the revenues are worth it. That's IMO out of scope for Mozilla and its policy regarding trusted root CA certs. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto