I am aware of the requirements but am interested in seeing how an RA that doesn't have their own issuing cert structures the audit report. It probably looks the same, but I've never seen one (unless that is the case with the previously provided audit report).
On Feb 22, 2017, at 8:48 PM, Ryan Sleevi <r...@sleevi.com<mailto:r...@sleevi.com>> wrote: On Wed, Feb 22, 2017 at 8:36 PM, Jeremy Rowley <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> wrote: Webtrust doesn't have audit criteria for RAs so the audit request may produce interesting results. Or are you asking for the audit statement covering the root that the RA used to issue from? That should all be public in the Mozilla database at this point. Hi Jeremy, I believe the previous questions already addressed this, but perhaps I've misunderstood your concern. "Webtrust doesn't have audit criteria for RAs so the audit request may produce interesting results." Quoting the Baseline Requirements, v.1.4.2 [1] , Section 8.4 "If the CA is not using one of the above procedures and the Delegated Third Party is not an Enterprise RA, then the CA SHALL obtain an audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, that provides an opinion whether the Delegated Third Party's performance complies with either the Delegated Third Party's practice statement or the CA's Certificate Policy and/or Certification Practice Statement. If the opinion is that the Delegated Third Party does not comply, then the CA SHALL not allow the Delegated Third Party to continue performing delegated functions. " Note that Symantec has already provided this data for the four RA partners involved for the 2015/2016 (varies) period, at [2]. Specifically, see the response to Question 5 at [3]. "Or are you asking for the audit statement covering the root that the RA used to issue from? That should all be public in the Mozilla database at this point." Again, referencing Question 5 at [3], and the overall topic of the thread, no, I am not asking for the audit statement covering the root that the RA used to issue from. I'm asking for the audit report, issued under the auditing standards that underlie the accepted audit schemes found in Section 8.1, that provides an opinion whether the Delegated Third Party's performance complies with either the Delegated Third Party's practice statement or the CA's Certificate Policy and/or Certification Practice Statement. [1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.2.pdf [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1334377 [3] https://bug1334377.bmoattachments.org/attachment.cgi?id=8831933 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
