[cabfpub] Delegated Third Parties, Network Security Requirements, and Audits
gerv at mozilla.org
Wed May 18 09:50:26 UTC 2016
On 17/05/16 20:59, Benedikt Heintel wrote:
>> I'd say that if CAs sharing infrastructure want to take advantage of
>> those economies, then they need to synchronise their audit periods and
>> all engage the same auditor, who can then do a single inspection of the
>> shared infrastructure and use the results to write multiple reports.
> Or rely on the audit report of another auditors, as it is practice in
> other international standards.
That might be acceptable if the master auditor takes responsibility for
the entire audit, and can't palm off responsibility for problems with
"well, they said it was OK, nothing to do with us". And presumably the
other auditors would need to be appropriately qualified also?
More information about the Public