[cabfpub] BRs, audits and historical point-in-time events
Gervase Markham
gerv at mozilla.org
Tue Jul 22 13:59:27 UTC 2014
The following situation in regard to the BRs recently arose. What is the
wisdom of the group?
* Ca Foo, Inc. wishes to include their root in Mozilla products.
* By Mozilla policy, this requires an audit to check they are following
the BRs.
* CA Foo's auditors are Bar Audit Corp.
* Some time in 2012, CA Foo created a root.
* Bar Audit Corp audited that root creation process according to
WebTrust 2.0 and WebTrust for EV 1.3.
* However, they did not audit it according to the BRs.
* The BRs require, in section 17.7, that all roots created after 1st
July 2012 meet certain procedural criteria.
* However, Bar Audit Corp can't go back and reaudit a one-time event
according to different criteria.
* How then can CA Foo pass its BR audit?
To generalise, the problem is that the BRs require something which is
difficult to do in retrospect if you didn't do it at the time - which
may be because you didn't even know about the BRs or that they were
relevant to you. How do we handle that?
Gerv
More information about the Public
mailing list