We're not talking about a financial audit here. We're talking
about whether QuoVadis meets some well-documented, objective
criteria. The Ernst & Young letter needs to say only two things: (1) they evaluatated QuoVadis against those criteria and (2)
QuoVadis met the criteria. If the letter equivocates, that should
be grounds for denying the request to implement the QuoVadis CA
certificate into Mozilla's database.
For the record, the letter that I saw was a copy of the paper original, on Ernst & Young letterhead; I really have no concerns regarding its authenticity. In terms of the content, while the language has some "CPA-ese" to set some limits around what E&Y is assesting to and what they are not, I believe that it does what you ask. The bulk of the letter is a checklist against relevant criteria from the WebTrust for CAs list, and no concerns were expressed regarding QuoVadis's conformance to those criteria.
As I mentioned in an earlier post, I think the main "gotcha" here is that this does not in and of itself constitute "official" WebTrust approval, because QuoVadis has not yet completed all the other paperwork and procedures around getting the WebTrust for CAs seal. However it was apparently sufficient to satisfy Microsoft's requirement to "provide an equivalent third-party attestation" to WebTrust, and I would agree with Microsoft on that point.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
