Currently, the BRs define, in section 8.7, the parameters for self-audits and audits of certificates below a TCSC. At the moment, the number of certs randomly chosen to be audited is defined as "the greater of one certificate or at least three percent of the Certificates issued".
I think that auditing just a single certificate (which is currently OK up until 33 are issued) makes it too easy to overlook problems when volumes are small. I propose instead a 5-certificate minimum, or 3%, whichever is larger. In other words: Issued Audited 0 0 1 1 ..... 5 5 6 5 ..... 166 5 167 6 ..... We could just change the "one" to a "five" if people thought it was obvious that if you've issued less than five, you just audit all of them. Or we could expand the text a bit to explicitly describe that. I would be interested in feedback on the impact of this change. It's been proposed for the Mozilla policy but as it's a BR stipulation I thought we should try here first. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
