<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Apr 17, 2017 at 11:16 AM, Dimitris Zacharopoulos via Public <span dir="ltr"><<a href="mailto:public@cabforum.org" target="_blank">public@cabforum.org</a>></span> wrote:<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div text="#000000" bgcolor="#FFFFFF">
When a CA is being audited for a period-in-time (say June 2016 -
June 2017), they are usually audited against an audit criteria
(Webtrust or ETSI) that incorporate a certain version of the BRs,
usually not the latest. If they are audited with the latest version
of the BRs that don't take into consideration a transition phase for
some cases like the timestamping issuance or the Intermediate CA
Certificate without a CN, it might lead to problems. <br>
<br>
For example, if a CA issued an Intermediate CA Certificate in August
2016 without a CN, and the BRs were updated in May 2017, when the
auditor comes in at the end of the audit period in June 2017 and
checks everything against the latest BRs, they will consider the
Intermediate CA issued in August 2016 as being mis-issued. Of course
the CA can explain to the auditors that the BRs changed in May 2017
and enter a discussion with them but why shouldn't we try to avoid
this?<br></div></blockquote><div><br></div><div>The Scottsdale F2F identified this is not the case for WebTrust audits. Do you believe it to be the case for ETSI?</div><div><br></div><div>In both cases, the governing section is Section 2.2 of the BRs. I'm unaware of any auditor who has done what you have said, and we've explicitly heard statements that contradict your summary, so it would be useful if you can share any data, either with the Forum or to the Browser members. In the absence of that evidence, I don't believe you've summarized correctly.</div></div></div></div>