My previous message is not showing up in Google Groups, so trying again (with some re-phrasing)...
All, ETSI audit statements typically do not specify the audit period start and end dates. And it is very difficult to determine if their audit statement is for a point-in-time audit versus a period-of-time audit. ETSI has a concept of their ETSI certification being valid for one to three years, and will list an expiration date for their ETSI certification that is in the future. Many of the CAs mistakenly enter their ETSI certification dates for the audit period start and end dates. ~~ Definition (From BRs): Audit Period: In a period‐of‐time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on‐site at the CA.)" ~~ Here is the requirement according to the Baseline Requirements: https://cabforum.org/baseline-requirements-documents/ Section 8.1:"The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. An audit period MUST NOT exceed one year in duration." Here's the requirement according to Mozilla's Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#audit-parameters "Full-surveillance period-of-time audits MUST be conducted and updated audit information provided no less frequently than annually. Successive audits MUST be contiguous (no gaps)." ~~ The April 2017 CA Communication specified the content we expect to be in all audit statements now. https://wiki.mozilla.org/CA/Communications#April_2017 Every CA stated that they understand the requirements, and no CA raised concern about audit periods. https://ccadb-public.secure.force.com/mozillacommunications/CACommResponsesOnlyReport?CommunicationId=a05o000003WrzBC&QuestionId=Q00018,Q00032 So, why are so many ETSI audits still not meeting these requirements? ~~ Mozilla's policy lists the specific information that must be included in each audit statement document: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#public-audit-information ~~ How do we get all auditors to start meeting our audit statement requirements? Why haven't all included CAs communicated these requirements to their auditors? Why am I seeing so many audit statements (particularly ETSI audit statements) that do not meet our requirements? I will greatly appreciate thoughtful and constructive ideas on this. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
