On 02/11/2009 04:12 PM, Frank Hecker:
Yes in theory, but I'm not convinced that this is a real risk in practice. In the past we've had several cases where we've accepted public statements by CAs that went beyond what was in their CPS or CP. In some cases these were clarifications of CP/CPS langusge, in other cases they covered stuff that was not in the CP or CPS at all.
Clarifications I think yes. Something which isn't in the CPS must be easily verifiable, something critical and not covered in the CPS is in my opinion not sufficient.
In a number of cases the CAs updated (or committed to update) their CP/CPS to reflect their supplementary statements, and for purposes of our evaluation we accepted the statements in advance of their actually completing an audit against the new CPS.
Yes, also this is in my opinion sufficient, but there are some problems. First Mozilla hasn't been on record to follow up - neither on EV nor on other matters. Second we need to draw a clear line here...I believe that CAs weren't approved generally if they couldn't demonstrate clearly through their published CPS and audit statements compliance to the Mozilla CA policy. Some CAs were sent back to the drawing board for fixing. I believe this case isn't any different.
So, again, I'm not prepared to make a blanket statement that we must always have a published CPS and cannot rely on documents apart from the CPS.
Yes, everything within reasons. But that should be established during information gathering and perhaps receive your approval prior to arriving here. It should be disclosed during the presentation statement at the list and such a document shouldn't be provided AFTER it gets to the comments and review week here. This clearly means, there is no audit behind it, it would be just hot air.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
