[cabfpub] Changing numbers of self-audited certificates

Gervase Markham gerv at mozilla.org
Tue Jun 6 10:46:49 UTC 2017

Currently, the BRs define, in section 8.7, the parameters for
self-audits and audits of certificates below a TCSC. At the moment, the
number of certs randomly chosen to be audited is defined as "the greater
of one certificate or at least three percent of the Certificates issued".

I think that auditing just a single certificate (which is currently OK
up until 33 are issued) makes it too easy to overlook problems when
volumes are small. I propose instead a 5-certificate minimum, or 3%,
whichever is larger. In other words:

Issued Audited
0      0
1      1
5      5
6      5
166    5
167    6

We could just change the "one" to a "five" if people thought it was
obvious that if you've issued less than five, you just audit all of
them. Or we could expand the text a bit to explicitly describe that.

I would be interested in feedback on the impact of this change. It's
been proposed for the Mozilla policy but as it's a BR stipulation I
thought we should try here first.


More information about the Public mailing list