Stephen Davidson wrote:
Does WebTrust periodically re-evaluate CAs?
Yes -- the WebTrust program requires seal holders to undergo an annual
update to maintain their seal and report. This annual update would likely
entail additional vigilence by the auditors after a change in control of the
CA.
For example, the GTE Cybertrust root was bought by Baltimore and then
Betrusted; it was also moved from a hosting site in MA to MD. The changes
in business use and environment are both meaningful from the audit
perspective.
It would seem that the answer to this is to
put the CA operation in a single purpose
chartered company, and then sell the company.
That way the operation is insulated, and only
the shareholders change. Theoretically, at
some level, if the shareholders have changed,
that doesn't mean a change in control. Only
if the board changes is a change in control
perfected.
That should insulate it at least until the
next audit time comes along, I would think?
iang
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
