Re: what is the new work requirement for the auditor?

Thu, 12 Feb 2009 11:05:18 -0800 

On 12/2/09 19:00, Eddy Nigg wrote:

On 02/12/2009 07:47 PM, Ian G:

[2] Actually I think I am a long way from nailing down the issues here.


Even though I agree usually on providing clear statements and
requirements, I wonder if we really have to go into such details? You
know, many times it was sufficient to receive a statement by the
representative of the CA regarding clarifications when the overall
"quality" of information we had wasn't lacking. I think everything
should be also within reasonable boundaries - I think it was the first
time that a CA didn't publish its CPS.




Eddy, you change your tune so fast you must be salsa dancer ... you just 
wrote:


================

In my opinion this would solve the problem. I would like to request that 
*the auditor confirms that their audit statement confirms the exact 
extracts of the CPS*. I also would like to request to include all 
relevant bits for domain control validation in addition to email. 
Additionally if code signing was part of the CPS during your audit, also 
the bits relating to code signing.

================


An audit is a big deal.  It is billable hours, if nothing else.  You 
just added a few thousand euros to their bill.  Throwing random things 
into the mix, just to please someone far far away, is ridiculous and 
unprofessional.





On a more serious note, consider that we are getting closer and closer 
to an issue that is very troubling.  There are two reviews.



  One is the "WebTrust and friends."  This is done completely 
independently of Mozilla.



  The second is the "Mozilla review" which is done after the auditor 
has left the scene and moved on to another (billable hours) job.



Requiring the presence of the auditor for the second one is highly 
problematic.  It's easy to demand, sure.  It makes everyone here feel 
really good and righteous and comfortable, as we armchair-general our 
way along to winning this paper war.  But out where the real shots are 
fired, the forces don't move around so easily as they do on a mapboard.




iang




PS:  So, just to clarify my own audit position here.  As far as I see 
it, it makes no odds to CAcert whether you add this requirement in or 
not, because I have included or thought about or am aware of Mozilla 
from the beginning, and probably won't be far away, afterwards.  But 
that "Mozilla first" approach only applies rarely.  Perhaps only to 
CAcert, maybe Startcom, dunno.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to