[cabfpub] Auditor question
gerv at mozilla.org
Tue Mar 17 03:43:40 MST 2015
On 10/03/15 04:36, Jeremy Rowley wrote:
> Personally, I think the intent was that as long as each CA had an EV
> audit covering their portion of the requirements, then you were okay
> (since all gaps are covered). The first CAs auditor wouldn't
> actually need to audit the second CA. Is this not the case? I'd like
> to amend the language to clarify how the two audits interoperate.
I think this depends on whether audits are fungible. That is to say, can
they be split up into pieces with no loss of fidelity? If CA A is
audited for the first half of the BRs, and CA B is audited for the
second half, and they collaborate together to issue certs, is the result
as well-audited as if one CA were doing it?
I don't think this is obviously the case, certainly not all the time.
The interactions between the two CAs may or may not be audited,
depending on the split, and I would suspect an auditor needs sometimes
to take an overall view of the process in order to confirm that certain
criteria are met.
To put it another way: many audit criteria relate to the trees, sure,
but some relate to the wood as a whole. :-)
Perhaps Don, Inigo or Arno could comment.
More information about the Public