On 10/2/09 16:42, :
The initial comment was written on august 2008, and now we have code
signing
certificates, and it appears in our CP/CPS.
To my understanding the audit wasn't performed with those changes.
In general terms, and without commenting at all on the current case,
here are a few observations. I think this is another area where there
is a misunderstanding as to the role of audit.
a. Time. There is always some element of change between the last audit
and current practice. Audits are "snapshots of the past" not proofs
over the present nor future. And, there is an expectation that audits
are repeated over time, the new guy has to have something to work with.
Also, factor in 40 week + distro delays, and consider asking CAs to
sit on their hands for a year or so.
b. The emphasis of the audit is over whether management has put in
place policies and procedures, sticks to them. Any check over
particular activities is not there to "audit those activities in
themselves" but to provide evidence of the policies and procedures in
general as a reliable guide to the reading public.
E.g., they do what they write, they write what they do.
d. Having said that, a specific audit criteria may state a check is
needed on X. One would have to go back and read WebTrust to see if it
has a criteria on X==codesigning. That still doesn't change the other
issues, but it may give you something to "rely" on when it comes to
codesigning specifically.
c. One of the policies and practices that audits look at is generally
whether CPSs and so forth are updated according to a reliable regime.
Of course, we can really only do that when we see that change is done,
so this is actually a positive chance for the next auditor to check the
progress. I say this with some relish, because extracting good evidence
is quite hard when most things are just written because the auditor says
it is needed, and then ignored forever more......
That's my view at the moment, I'm looking forward to others!
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
