[cabfpub] Auditor question

Gervase Markham gerv at mozilla.org
Tue Mar 17 10:43:40 UTC 2015

On 10/03/15 04:36, Jeremy Rowley wrote:
> Personally, I think the intent was that as long as each CA had an EV
> audit covering their portion of the requirements, then you were okay
> (since all gaps are covered).  The first CAs auditor wouldn't
> actually need to audit the second CA.  Is this not the case? I'd like
> to amend the language to clarify how the two audits interoperate.

I think this depends on whether audits are fungible. That is to say, can
they be split up into pieces with no loss of fidelity? If CA A is
audited for the first half of the BRs, and CA B is audited for the
second half, and they collaborate together to issue certs, is the result
as well-audited as if one CA were doing it?

I don't think this is obviously the case, certainly not all the time.
The interactions between the two CAs may or may not be audited,
depending on the split, and I would suspect an auditor needs sometimes
to take an overall view of the process in order to confirm that certain
criteria are met.

To put it another way: many audit criteria relate to the trees, sure,
but some relate to the wood as a whole. :-)

Perhaps Don, Inigo or Arno could comment.


More information about the Public mailing list