[cabfpub] BRs, audits and historical point-in-time events
Ben Wilson
Ben.Wilson at digicert.com
Tue Jul 22 19:31:15 UTC 2014
It sounds to me like it might be related to audit practice and how an auditor goes about checking on and attesting to things, and I suppose we could re-word 3 to deal with this, or maybe even 2, if that subsection is involved, and hopefully this issue won't re-appear in the future, but I don't have a good answer for you. Do we want to add this to Thursday's call?
-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, July 22, 2014 1:06 PM
To: Ben Wilson; cabfpub
Subject: Re: [cabfpub] BRs, audits and historical point-in-time events
On 22/07/14 19:28, Ben Wilson wrote:
> Gerv, Am I right to understand that it is mainly the third item in
> 17.7 - "3. have a Qualified Auditor issue a report opining that the
> CA followed its key ceremony during its Key and Certificate generation
> process and the controls used to ensure the integrity and
> confidentiality of the Key Pair?" because 1. and 2. were done, but 3.
> is now difficult to do? In other words, CA Foo performed the key
> ceremony that met certain requirements, likely those in 17.7 1. and
> 2., but that the auditor was only looking at WebTrust 2.0 and WebTrust
> for EV 1.3 during the last audit, such that it is like water that has
> flowed under the bridge and cannot be measured now?
Exactly.
Gerv
More information about the Public
mailing list