On Tue, Jun 24, 2014 at 10:55:14AM -0700, Ryan Sleevi wrote: > On Tue, June 24, 2014 10:39 am, Kurt Roeckx wrote: > > > > Should we mandate that the audit should also audit the procedures? > > > > In my opinion the audit should: > > - Check that the CPS complies with all the requirements > > - Check that the CPS is being followed. > > Well, "Check that the CPS is being followed" is a bit of a can of worms. > > There's the sampling audit, that ensures, "historically", that the issued > certificates have followed the CPS. > > However, if an auditor does not also perform some observation that the CPS > is being followed (e.g.: by having the CA demonstrate the various > technical controls being followed), then a CA that has issued no > certificates is, from an audit coverage perspective, indistinguishable > from a CA with no technical controls. > > So I think we need both - the sampling (historical) and some practical > demonstration.
I was thinking about the practical demonstration, but I agree that sampling of historical certificates is a useful thing to do. I would also like that the audit report we get was more explicit in what they did and possibly what problems they found. I am expecting that an audit finds problems. I would find it unlikely that a CA is perfect, and don't trust an audit that didn't find any problems. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
