[cabfpub] BRs, audits and historical point-in-time events

[Gervase Markham]

On 23/07/14 01:02, kirk_hall at trendmicro.com wrote:
> If an auditor is able to issue the sub (3) opinion based on the
> script and video, that would seem to be sufficient -- perhaps no need
> for the auditor to have been there, and this opinion could be
> prepared long after the fact.  But if the script and/or video don't
> exist, that's a problem.

If it's OK to issue the opinion based on the script and video only, that
may solve the problem.

> I'd also go to the Mozilla communications to CAs concerning Mozilla's
> date of enforcement of the BRs -- as I recall, it was something like
> starting Feb. 15, 2013.  If the root was created before that date,
> there was no actual requirement to comply with the BRs by any root
> program, despite the BRs stated effective date of July 1, 2012.
> (There was lots of discussion about this at the time.)  However, BR
> 8.3 calls for a CA to publicly commit to BR compliance in its CPS --
> did CA Foo publicly commit to following the BRs when it cut the root?
> If yes, it should have followed 17.7.

Of course, we could just give them a waiver. I'm not raising this issue
because it imperils the operation of our root program; I am concerned
that they may not be the only CA in this bucket.

Possible fixes include: allowing CAs who were not being audited to the
BRs *at the time of root generation* to skip this requirement. Or, if
both the script and video are required for all sane audit regimes
(WebTrust, ETSI, whatever) then explicitly say that it's OK to review
the script and video in giving an opinion.

Gerv