[cabfpub] Auditor question
jeremy.rowley at digicert.com
Mon Mar 9 21:36:12 MST 2015
I wanted to pass along a concern someone raised with the EV Guidelines:
Currently the EV guidelines say "EV audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor." It would make it much more cost effective for CAs if the requirement was modified to allow the auditor to rely on a separate audit done on the RA/subcontractor. Imagine I had a CA and subcontracted another CA to perform certain operations. As it stands today, the second CA would have to undergo their normal audit plus an audit by the first CA's auditors. This is great if you are an auditor (more billable hours), but not great if you are the second CA and trying to make money by offering services to other CAs. For example, let's say we run an OCSP service for another CA. Would the other CA's auditor have to come check out our OCSP servers to verify compliance?
Personally, I think the intent was that as long as each CA had an EV audit covering their portion of the requirements, then you were okay (since all gaps are covered). The first CAs auditor wouldn't actually need to audit the second CA. Is this not the case? I'd like to amend the language to clarify how the two audits interoperate.
More information about the Public