All,
In response to Tim Hollebeek's recent email on this topic (
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/HJDtlQEfUsY/m/1t6s5G2rAgAJ),
I have added a reference to CCADB Policy version 1.2.3. Unless there are
additional comments, I am assuming that discussion on this topic
Hi Ben,
Thanks for the clarification, but I think any site that hosts CA operations
must be in the scope of the audit.
I can't figure out an scenario as you describe where there's a successful
audit report.
Best,
Pedro
El jueves, 29 de junio de 2023 a las 16:44:16 UTC+2, Ben Wilson escribió:
>
Hi Pedro,
If the CA has two sites, one primary and one secondary, and if the
secondary site hasn't been audited during the audit period, then the audit
letter should mention that.
Thanks,
Ben
On Thu, Jun 29, 2023 at 1:39 AM Pedro Fuentes wrote:
> Hi Ben,
> I'm a bit puzzled about how to specify
Hi Ben,
I'm a bit puzzled about how to specify the locations that "were not
audited".
What does this mean?
Thanks!
Pedro
El martes, 27 de junio de 2023 a las 17:37:44 UTC+2, Ben Wilson escribió:
> All,
>
> Section 5.1 of the CCADB Policy
>
All,
Section 5.1 of the CCADB Policy
https://www.ccadb.org/policy#51-audit-statement-content now specifies
required audit letter content very similar to what is currently in section
3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed
that much of the current language in