So there appear to be several things that might require an additional
audit interaction over some delivery to Mozilla, outside the normal
audit opinion.
Here's my list of things, as spotted recently:
1. a CA's clarification or comment over a key document (e.g., CPS).
2. an additional document of some import.
3. an extract from a key document.
4. a redacted document from a key document.
4. the mozilla criteria listed in policy.
5. any document / evidence.
Secondly there appears in another axis several natures of comment [1]:
a. an audit over that document.
b. auditor's comment that the document was incorporated into the main
audit as evidence.
c. auditor's comment that the document is a reasonable view over another
document, separate from an audit over the primary document.
And, over perhaps a third axis there is the attest nature:
i. assertion over document or over subject matter?
ii. examination or review? Attestation or not?
iv. relationship to an audit
iii. comment of no particular relationship
v. person of some relationship or no relationship?
In order to deliver clarity to the community of CAs there, we probably
need some guidance on this, written up in the wiki pages and/or policy.
It might be:
(a) case by case judgement by Mozilla.
(b) a matrix where we look up what is required.
(c) simply discount any additional information.
(d) full audit attention over any additional information.
(e) requirement to disclose any additional submission to auditor.
Just some ideas [2]....
iang
[1] As we know, when audit says something, it has to be interpreted
carefully. Elsewhere, I comment that unless you know what all that
means, you should be careful, because .... you don't know the code.
Somethings can be taken to court, somethings not. Now, in this present
context, Mozilla has decided to rely on the audit, and therefore they've
made a conscious decision to learn the tricks. So we are covered,
theoretically, as a community. But we still need to know what it is
that is being requested.
[2] Actually I think I am a long way from nailing down the issues here.
But am inhibited from researching it fully atm.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
