[cabfpub] BRs, audits and historical point-in-time events
Gervase Markham
gerv at mozilla.org
Tue Jul 22 19:06:03 UTC 2014
On 22/07/14 19:28, Ben Wilson wrote:
> Gerv, Am I right to understand that it is mainly the third item in
> 17.7 - "3. have a Qualified Auditor issue a report opining that the
> CA followed its key ceremony during its Key and Certificate
> generation process and the controls used to ensure the integrity and
> confidentiality of the Key Pair?" because 1. and 2. were done, but 3.
> is now difficult to do? In other words, CA Foo performed the key
> ceremony that met certain requirements, likely those in 17.7 1. and
> 2., but that the auditor was only looking at WebTrust 2.0 and
> WebTrust for EV 1.3 during the last audit, such that it is like water
> that has flowed under the bridge and cannot be measured now?
Exactly.
Gerv
More information about the Public
mailing list