Some acronyms to help understanding, quickly slapped in from an email. Should be tidied up.

Audit Criteria

WebTrust is the "classic" north-American style audit process. It is fairly lightly documented, there is apparently a private or secret list of checks, and the auditors are a closed shop. It's also woefully out of date, being written in the period 1995-1999 when there was only a perceived opportunity, no validated threat.

ETSI is European Telecomunications Standards Institute and is the CA-world abbreviation for a pair of audit definitions. The primary one is for QC, and there is a "simplified" or poor-man's version for the non-QC. It is written that way because the QC project is a Community dream, and that must lead, but the market requires a "lite" version, because that's what works.

QC is Qualified Certificates, which is the European "experiment" to give everyone a digital signing smart card that is backed in law. When you use these things, the digsig so imprinted on some thing is to be recognised as "equivalent" by the courts to your human manuscript signature. This is an unworkable project in market terms, and so far has not succeeded, but European governments are pushing ahead with it regardless. There are many reasons why this benefits governments, but very few if any positives for citizens. One of the central ideas of QC is, that the owner of the personal certificate is not able to publish his secret key, in order to avoid reputiation and make the signatures binding. With the latest generation of ID cards the digsig might become general available in the EU. Criterias for CAs are defined by multiple national laws (implementing the EU directive).

EV is Extended Validation. This is the complete rewrite of the WebTrust, in the aftermath of the phishing debacle. Basically, they got scared, huddled in a closed room, and documented what they thought they were doing that was good. As a defence against phishing. Unfortunately they forgot to fix phishing along the way, but the did manage to fix many things that helps them, not the user. E.g., two audits instead of one, because WebTrust is now required as a preliminary to EV.

EV is big and complicated, it is approximately as big and complicated as ETSI-QC, but where ETSI is oriented to selling client certs on smart cards to citizens, EV is oriented to selling expensive SSL server certificates to websites to big corporates who don't care about money. When you have an EV cert, the URL bar on the browser may go green, and it may present the name of the claimant.

Finally DRC is "David Ross Criteria". When Mozilla defined its policy for adding new CA's roots to the root list, it recognised that the industry had been cartelised and controlled by the various groups, and it decided that the power of the formal auditor industry was incompatible with the open Internet. It included a clause that says "anyone we think is a good guy can do an audit."

DRC is an audit criteria ("process") written by David Ross, one of the good guys (where, that means he isn't related to the auditor industry, but comes from the quality engineering background). DRC is the criteria that CAcert was being audited under by Iang. It was pre-accepted by Mozilla as a criteria, but was never likely to be accepted by Microsoft, which preferred to side with auditors.

ISM is the AU govt. Information Security Manual. It is more like CAcert's entire package of policies and criteria. Compared.

Other observations

Fubar: Fluffed up beyond all recovery. It's all over the map. Because there are competing interests, such as Europeans v. Americans, Auditors v. corporations, CAs v. browsers, QC v. the non-QC, and other little arcane wars going on, the audit criteria business is hard for outsiders to understand. And when you do understand it, that only means you've figured out the players and how they are fighting to improve their lot. It doesn't help you any.

Strategy. CAcert conducted Audit #1 according to a strategy laid out in the NLnet funding proposal. In short, the approach was to go with Mozilla first, because it is aligned with the open world, and had already defined an open audit process. This permitted a low cost / volunteer approach that helped CAcert immensely. As commercial audits are designed to be expensive, and encouraged by the incumbents to be too expensive for new entrants to the market (c.f., ETSI and EV), this alternate path was very useful to CAcert.

Options. There are other ways. For example, do a WebTrust, which would be acceptable to both Mozilla and Microsoft as well as others. Or, do an ETSI-"lite" which would be a better and more updated version. However, these generally require auditors acceptable to the publishers of those standards, which are the audit associations. Therefore they are much more expensive. Pro bono is a theoretical possibility but has not so far been found.


Audit/CriteriaAlphabetSoup (last edited 2010-09-10 11:01:01 by SunTzuMelange)