On Monday, October 30, 2017 at 5:02:08 PM UTC-7, Buschart, Rufus wrote: > Our ETSI audit report > (https://www.siemens.com/corp/pool/pki/siemens_etsi.pdf) states: > > > An audit of the certification service, documented in a report, provided > > evidence that the requirements of the following > > specification have been fulfilled. The audit was conducted on 22th - 24th > > February 2017 covering the timeframe > > 27th February 2016 to 21st February 2017. It was a full audit covering all > > aspects of the standard performed. > > A second and third audit was performed on 19th and 20th June 2017 to > > implement further Issuing CAs and in the time > > between 23rd to 30th August. > > We repeat this full audit annually. From what I understand out of this > discussion, this will meet your requirements, correct?
Yes, that meets our requirement regarding stating the audit period and if it is a period-of-time/full audit. The problem is that most ETSI audit statements that we get do not say this. And it has been an uphill battle for me to get ETSI audit statements to say this. Please note that there is still information missing from the audit statement, such as SHA-256 fingerprints. See: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#public-audit-information But your audit statement is much better than most ETSI audit statements I get. > > If you want us to move from ETSI to Webtrust we, and probably every other CA > relying on ETSI, would highly appreciate a reasonable grace period to do so, > since we are already in the middle of the preparation of our next audit in > February 2018. I understand. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
