[cabfpub] Changing numbers of self-audited certificates
gerv at mozilla.org
Tue Jun 6 03:46:49 MST 2017
Currently, the BRs define, in section 8.7, the parameters for
self-audits and audits of certificates below a TCSC. At the moment, the
number of certs randomly chosen to be audited is defined as "the greater
of one certificate or at least three percent of the Certificates issued".
I think that auditing just a single certificate (which is currently OK
up until 33 are issued) makes it too easy to overlook problems when
volumes are small. I propose instead a 5-certificate minimum, or 3%,
whichever is larger. In other words:
We could just change the "one" to a "five" if people thought it was
obvious that if you've issued less than five, you just audit all of
them. Or we could expand the text a bit to explicitly describe that.
I would be interested in feedback on the impact of this change. It's
been proposed for the Mozilla policy but as it's a BR stipulation I
thought we should try here first.
More information about the Public