[cabfpub] BRs, audits and historical point-in-time events

Ben Wilson Ben.Wilson at digicert.com
Tue Jul 22 19:31:15 UTC 2014


It sounds to me like it might be related to audit practice and how an auditor goes about checking on and attesting to things, and I suppose we could re-word 3 to deal with this, or maybe even 2, if that subsection is involved, and hopefully this issue won't re-appear in the future, but I don't have a good answer for you.  Do we want to add this to Thursday's call?

-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Tuesday, July 22, 2014 1:06 PM
To: Ben Wilson; cabfpub
Subject: Re: [cabfpub] BRs, audits and historical point-in-time events

On 22/07/14 19:28, Ben Wilson wrote:
> Gerv, Am I right to understand that it is mainly the third item in
> 17.7 -  "3. have a Qualified Auditor issue a report opining that the 
> CA followed its key ceremony during its Key and Certificate generation 
> process and the controls used to ensure the integrity and 
> confidentiality of the Key Pair?" because 1. and 2. were done, but 3.
> is now difficult to do?  In other words, CA Foo performed the key 
> ceremony that met certain requirements, likely those in 17.7 1. and 
> 2., but that the auditor was only looking at WebTrust 2.0 and WebTrust 
> for EV 1.3 during the last audit, such that it is like water that has 
> flowed under the bridge and cannot be measured now?

Exactly.

Gerv


More information about the Public mailing list