All, It is extremely frustrating to deal with ETSI audits, because they typically do not specifically state the audit period start and end dates. And it is very difficult to determine if their audit statement is for a point-in-time audit versus a period-of-time audit.
They have a concept of their ETSI certification being valid for one year, and will list an expiration date for their ETSI certification that is in the future. Many of the CAs mistakenly enter their ETSI certification dates for the audit period start and end dates. This is an ongoing problem that I'm very frustrated with. ~~ Definition (From BRs): Audit Period: In a period‐of‐time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on‐site at the CA.)" ~~ Here is the requirement according to the Baseline Requirements: https://cabforum.org/baseline-requirements-documents/ Section 8.1:"The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration." Here's the requirement according to Mozilla's Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#audit-parameters "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually. Successive audits MUST be contiguous (no gaps)." ~~ The April 2017 CA Communication specified the content we expect to be in all audit statements now. https://wiki.mozilla.org/CA/Communications#April_2017 Every CA stated that they understand the requirements, and no CA raised concern about audit periods. https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00018,Q00032 So, why are so many ETSI audits still failing to meet these requirements? ~~ Mozilla's policy lists the specific information that must be included in each audit statement document: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#public-audit-information ~~ How do we get *ALL* auditors to start meeting our audit statement requirements ASAP? Why haven't *ALL* included CAs communicated these requirements to their auditors? Why am I seeing so many audit statements (particularly ETSI audit statements) that fail to meet our requirements? As you can see, I'm frustrated with this situation. But I will greatly appreciate thoughtful and constructive ideas on how to fix this. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
