On 10/2/09 21:06, Frank Hecker wrote:
I acknowledge your comment that ETSI TS 102 042 does not require the CPS
to be published. However we depend on public documents to document the
exact claims that CAs make and whether these meet our policy
requirement. So this causes a problem for us when we do not have access
to CPSs and related documents.
If you cannot publish the CPS because it contains private information, I
suggest as an alternative that you provide some sort of official
Certigna document that summarizes the portions of the CPS that are of
most interest to us (i.e., those relating to validation of subcriber
information).
I had to re-read the policy and think about this a few times. Yes, I
think that is it.
The policy says, we need published information, *eg* the CPS.
Not, "CPS must be published." So there are two reasons not to enforce
publication of the CPS: one is that ETSI (allegedly) doesn't require
it. Another is that the CPS pretty much always has things in it like
"and then we use this private practices statement to achieve X." Or, it
doesn't say that, but either way, the auditor is faced with 2 sets of
documents, one of which is private, one public. Both valid and
verifiable. The auditor loves secret documents, that's bread & milk.
Then there are reasons to enforce publication. One is, we can only
verify -- as an *enduser* -- what we can read. Another is that an
"opinion" rendered over a secret document has to be taken with a large
dose of salt. Just exactly how much room is there for manoeuvre?
Given these complications, I think the policy is about right. It is
useful to promote publication of documents, it is quite useful to state
clearly that Mozilla only relies on public documents, and it is very
useful to state what information is needed.
But it is not particularly useful to try and draw a line in the sand
based on the title of some document.
iang
PS: with a nod to David's point that a new document provided (as an
extract?) might not be representative / outside an audit scope. Where
to draw the line?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
