On Friday, February 24, 2017 at 5:12:43 PM UTC-8, Peter Bowen wrote: > "auditing standards that underlie the accepted audit schemes found in > Section 8.1" > > This is obviously a error in the BRs. That language is taken from > Section 8.1 and there is no list of schemes in 8.1. > > 8.4 does have a list of schemes: > 1. WebTrust for Certification Authorities v2.0; > 2. A national scheme that audits conformance to ETSI TS 102 042/ ETSI > EN 319 411-1; > 3. A scheme that audits conformance to ISO 21188:2006; or > 4. If a Government CA is required by its Certificate Policy to use a > different internal audit scheme, it MAY use such scheme provided that > the audit either (a) encompasses all requirements of one of the above > schemes or (b) consists of comparable criteria that are available for > public review. > > 1. is slight problematic as no scheme exists by that name, but "Trust > Service Principles and Criteria for Certification Authorities Version > 2.0" does exist, which is what I assume is meant. > This is something that should be fixed in the BR and in fact both the audit schemes (WTCA & WTBR) should be listed in Section 8.4 (obviously WTCA by itself doesn't cover all BR requirements, only WTBR does). While your assumption is just, Section 1.6.3 has the following reference, so its hard to tell what the intent is.
WebTrust for Certification Authorities , SSL Baseline with Network Security, Version 2.0, available at http://www.webtrust.org/homepage‐documents/item79806.pdf. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy