On Mon, Dec 07, 2015 at 10:24:34AM -0800, Peter Bowen wrote: > The current CA policy does not specify when audit reports are due to > Mozilla relative to the end date of the audit period. It only says > that CAs much provide the reports to Mozilla within 30 days of > receiving the report from their auditor. > > For the next version of the CA policy, I suggest that this be > remedied. I propose the following revised requirements: > > - All audit reports must clearly state whether they are for a period > of time or point in time. > - All audit reports that cover a period of time must list the start > date and end date of the period > - All audit reports that are for a point in time must list the point > in time date > - All audit reports must separately include the date the report was > issued (which will necessarily be after the end date or point in time > date)
I think this are all very useful things. I probably requested the same thing but not that clear. > - All audit reports must be provided to Mozilla within three months of > the point in time date or the end date of the period The BR already say exactly that in 8., but only about the end of the audit period, not about the point in time date. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
