What about subordinate CAs created after the audit letter is published? If both WebTrust and ETSI audit schemes assume ongoing audit reporting responsibilities, I'd assume that you wouldn't need a new audit letter every time you create a subordinate CA, which might be weekly. The list of subordinate CAs could be updated annually, I'd think.
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+ben=digicert....@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Friday, September 23, 2016 9:18 AM To: Kurt Roeckx <k...@roeckx.be> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Audit requirements On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx <k...@roeckx.be> wrote: > On 2016-09-23 00:57, Peter Bowen wrote: >> >> Kathleen, Gerv, Richard and m.d.s.p, >> >> In reviewing the WebTrust audit documentation submitted by various CA >> program members and organizations wishing to be members, it seems >> there is possibly some confusion on what is required by Mozilla. I >> suspect this might also span to ETSI audit documentation, but I don't >> know the ETSI process as well, so will leave it to some else to >> determine if there is confusion there. > > > So at least 1 thing I miss in those audit reports is which CAs are covered. > If you look at the CAs they disclosed, how can we be sure that the > audit actually covers that CA? I think the report should cover at > least all root and intermediate CAs that are required to be disclosed by Mozilla. And many audit reports specify this. See the following examples from the Mozilla included CAs report. I didn't check all -- I'm sure many more have lists of in scope CAs. https://cert.webtrust.org/SealFile?seal=2032&file=pdf (in the first paragraph lists the CAs) https://cert.webtrust.org/SealFile?seal=1998&file=pdf (first paragraph lists the CA, appendix listing the CA details) https://www.certsign.ro/certsign_en/files/certSIGN_Webtrust_CA.pdf (bulleted list of CAs) https://cert.webtrust.org/SealFile?seal=2092&file=pdf (first paragraph) https://cert.webtrust.org/SealFile?seal=1944&file=pdf (Appendix listing CA details) https://cert.webtrust.org/SealFile?seal=1568&file=pdf (Appendix listing CAs) So for many reports you don't have to guess which are covered. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy