The audits are more deficient than just the minimum number. If a CA issues a million certs to one customer, the entire 3% audit will be that single customer. If that system is automated, all other customers and systems are effectively masked. I haven't figured out to expand the audit requirement though. Perhaps a minimum that is something along the lines of the greater of 3% of certificates with a unique profile and five cert? An alternative is 3% of certificates with a unique base domain?
-----Original Message----- From: Public [mailto:[email protected]] On Behalf Of Gervase Markham via Public Sent: Tuesday, June 6, 2017 4:47 AM To: CABFPub <[email protected]> Cc: Gervase Markham <[email protected]> Subject: [cabfpub] Changing numbers of self-audited certificates Currently, the BRs define, in section 8.7, the parameters for self-audits and audits of certificates below a TCSC. At the moment, the number of certs randomly chosen to be audited is defined as "the greater of one certificate or at least three percent of the Certificates issued". I think that auditing just a single certificate (which is currently OK up until 33 are issued) makes it too easy to overlook problems when volumes are small. I propose instead a 5-certificate minimum, or 3%, whichever is larger. In other words: Issued Audited 0 0 1 1 ..... 5 5 6 5 ..... 166 5 167 6 ..... We could just change the "one" to a "five" if people thought it was obvious that if you've issued less than five, you just audit all of them. Or we could expand the text a bit to explicitly describe that. I would be interested in feedback on the impact of this change. It's been proposed for the Mozilla policy but as it's a BR stipulation I thought we should try here first. Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
