[cabfpub] Audits and RAs

Jeremy Rowley jeremy.rowley at digicert.com
Tue Jun 18 17:35:25 UTC 2019

I think I heard the WebTrust auditors say last week that they have finished
or nearly finished the WebTrust for RAs criteria. The language from Section
8.4 of the guidelines reads:


"For Delegated Third Parties which are not Enterprise RAs,, then the CA
SHALL obtain an audit report, issued under the auditing standards that
underlie the accepted audit schemes found in Section 8.1, that provides an
opinion whether the Delegated Third Party's performance complies with either
the Delegated Third Party's practice statement or the CA's Certificate
Policy and/or Certification Practice Statement. If the opinion is that the
Delegated Third Party does not comply, then the CA SHALL not allow the
Delegated Third Party to continue performing delegated functions."


We know some CAs use RAs that are not audited under WebTrust/ETSI because
"there is no appropriate audit standard". Now that there is an audit
standards, it seems to me this criteria goes into effect immediately and any
RA not audited would cause the CA to be out of compliance with the BRs. No
additional ballot required since the concept is already baked into the BRs. 


Anyone have a different interpretation?  If not, when is the exact date that
the audits should be done? Already? 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190618/e22d5e98/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4940 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20190618/e22d5e98/attachment-0002.p7s>

More information about the Public mailing list