Hi Pedro, If the CA has two sites, one primary and one secondary, and if the secondary site hasn't been audited during the audit period, then the audit letter should mention that. Thanks, Ben
On Thu, Jun 29, 2023 at 1:39 AM Pedro Fuentes <pfuente...@gmail.com> wrote: > Hi Ben, > I'm a bit puzzled about how to specify the locations that "were not > audited". > What does this mean? > Thanks! > Pedro > > El martes, 27 de junio de 2023 a las 17:37:44 UTC+2, Ben Wilson escribió: > >> All, >> >> Section 5.1 of the CCADB Policy >> https://www.ccadb.org/policy#51-audit-statement-content now specifies >> required audit letter content very similar to what is currently in section >> 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed >> that much of the current language in MRSP § 3.1.4 be removed. GitHib >> Issue#239 <https://github.com/mozilla/pkipolicy/issues/239>. However, >> two items do not appear in the CCADB’s list of required audit content—(1) >> locations audited or not audited and (2) auditor qualifications. Therefore, >> we are proposing the following language for the first paragraph of section >> 3.1.4. >> >> --- Begin MRSP Edit --- >> >> The publicly-available documentation relating to each audit MUST contain >> the information required by section 5.1 of the CCADB Policy and the CA >> locations that were or were not audited. Audit reports must also contain or >> be accompanied by the name of the lead auditor and qualifications of the >> team performing the audit, as required by section 3.2. >> >> --- End MRSP Edit --- >> >> See also >> https://github.com/Mozilla/pkipolicy/compare/bf36841af0686676f0435769db8c641d7d17dfb3..8968d9b6fedc1f94f4afa6a59ce609b759f497e6 >> >> Please provide us with your comments or suggestions. >> >> Thanks, >> >> Ben and Kathleen >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabzNi3OyABBBUzJBmBDyJz7sM7ZRQFKV1KethRMBONtQQ%40mail.gmail.com.
