On 02/12/2009 09:04 PM, Ian G:
Eddy, you change your tune so fast you must be salsa dancer ...
I don't think so. I wondered if we need a list of 20 items in order to clarify what a CA should provide in terms of audited documents. As I already said, many times we need only clarifications - a big difference to an unpublished CPS. Publishing the CPS is and should be the norm I think, not sure what's the fuss about really.
An audit is a big deal. It is billable hours, if nothing else. You just added a few thousand euros to their bill. Throwing random things into the mix, just to please someone far far away, is ridiculous and unprofessional.
What are you talking about? I don't know about their relationship with their auditors, but your assumptions are most likely incorrect as so many other things you throw into the wild (but many times I prefer not to disprove your claims as it serves me other interests).
On a more serious note, consider that we are getting closer and closer to an issue that is very troubling.
I didn't knew that we are getting closer to a troubling issue, certainly not the one you mention now...
One is the "WebTrust and friends." This is done completely independently of Mozilla.
Mozilla doesn't perform an audit, Mozilla processes an inclusion request of a CA root certificate into their software according to their own stated policies.
Requiring the presence of the auditor for the second one is highly problematic. It's easy to demand, sure. It makes everyone here feel really good and righteous and comfortable, as we armchair-general our way along to winning this paper war. But out where the real shots are fired, the forces don't move around so easily as they do on a mapboard.
Nobody ever proposed at what you assume (again) above. In case of a deficiency or other problematic issue which might come up every here and now, solutions need to be found. It's not the goal of Mozilla to prevent inclusion of CAs, but to reasonably assure that the to-be-included CA conforms to its policy. Where is now the problem again?
PS: So, just to clarify my own audit position here. As far as I see it, it makes no odds to CAcert whether you add this requirement in or not, because I have included or thought about or am aware of Mozilla from the beginning, and probably won't be far away, afterwards. But that "Mozilla first" approach only applies rarely. Perhaps only to CAcert, maybe Startcom, dunno.
What are you talking about? Can you clarify? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto