[cabfpub] Auditability of EV 1.4 and other CABF Guidelines

Gervase Markham gerv at mozilla.org
Wed Nov 14 10:21:46 UTC 2012

On 13/11/12 14:38, Sheehy, Don (CA - Toronto) wrote:
> Gerv- I think you have misunderstood. The issue that I pointed out
> was we just needed to "freeze" a version to allow for consistent
> auditing. WebTrust EV was based on EV 1.3 - you can always look at
> the web site to say " there were the control and operational
> requirements" . When EV 1.4 ( developed in May) pointed to controls
> that were approved for use in July and then changed again in
> September the ability to perform the audit under 1.4 is  more
> difficult (since the measuring stick continues to move, although the
> EV version remains the same)

I am saying that you can solve that problem by fixing the version of the 
BRs as well as the version of EV, when you start your deliberations.

So instead of saying "Right, chaps, let's look at incorporating EV 
1.4.12 into our audit criteria", you simply say "let's look at 
incorporating EV 1.4.12 and, where relevant, BR 1.1.16". You just need 
to pick two version numbers rather than 1.

Of course, this is easier for you if we have better version numbering 
practices, which is what I was suggesting.

Another option would be for EV 1.M.M to make a specific reference to BRs 
1.N.N, so that the version of the BRs referenced by EV was fixed until 
we released a new version of EV.

But my point is that fixing this doesn't require us to change our 
processes in the big ways Ben suggested.


More information about the Public mailing list