[cabfpub] When did the WebTrust/ETSI BR audit requirement become mandatory?

kirk_hall at trendmicro.com kirk_hall at trendmicro.com
Thu Feb 19 16:59:51 UTC 2015

On our Forum call today, we asked when a WebTrust/ETSI BR audit requirement become mandatory for CAs.

Ballot 62 (Nov. 2011) adopted the BRs effective July 1, 2012.  However, there were no audit criteria in place for some time.

I did some quick research, and the answer is not clear as to when the audit criteria came into effect.  The WebTrust draft audit requirements were completed by early 2013, and I see comments that Mozilla adopted the BR audit as a program requirement at the Mountain View meeting in Feb. 2013.  Here is the current Mozilla requirement at Sec. 11: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/

As I recall, the initial Mozilla BR audit requirement was not clear as to exact effective date (what operational period must be covered by a CA's initial BR audit).  I vaguely recall Mozilla clarifying the rule at our Feb. 2013 meeting at Mountain View that all CA operations occurring on or after Feb. 15, 2013 must be covered by a BR audit - so some CAs did partial-year initial BR audits to align their BR audits with their other audits.

Based on all this, I would say all CAs should have full year BR audits in place by now.  We can change our Bylaw on membership at Bylaw 2.1 to reflect this.

Kirk R. Hall
Operations Director, Trust Services
Trend Micro

<table class="TM_EMAIL_NOTICE"><tr><td><pre>
The information contained in this email and any attachments is confidential 
and may be subject to copyright or other intellectual property protection. 
If you are not the intended recipient, you are not authorized to use or 
disclose this information, and we request that you notify us by reply mail or
telephone and delete the original message from your mail system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150219/1f6a9bb0/attachment-0002.html>

More information about the Public mailing list