[cabfpub] Delegated Third Parties, Network Security Requirements, and Audits

Gervase Markham gerv at mozilla.org
Wed May 18 09:50:26 UTC 2016

On 17/05/16 20:59, Benedikt Heintel wrote:
>> I'd say that if CAs sharing infrastructure want to take advantage of
>> those economies, then they need to synchronise their audit periods and
>> all engage the same auditor, who can then do a single inspection of the
>> shared infrastructure and use the results to write multiple reports.
> Or rely on the audit report of another auditors, as it is practice in
> other international standards.

That might be acceptable if the master auditor takes responsibility for
the entire audit, and can't palm off responsibility for problems with
"well, they said it was OK, nothing to do with us". And presumably the
other auditors would need to be appropriately qualified also?


More information about the Public mailing list