These are all things the auditors control, not necessarily CAs. Enacting something like this would require WebTrust and ETSI buy-in to update the templates and information. If you said the CA must clearly indicate in their submission that X, Y, and Z must happen, then it makes more sense (as the CA is the one communicating with Mozilla, not the auditor).
-----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Peter Bowen Sent: Monday, December 7, 2015 11:25 AM To: [email protected] Subject: Audit report timing The current CA policy does not specify when audit reports are due to Mozilla relative to the end date of the audit period. It only says that CAs much provide the reports to Mozilla within 30 days of receiving the report from their auditor. For the next version of the CA policy, I suggest that this be remedied. I propose the following revised requirements: - All audit reports must clearly state whether they are for a period of time or point in time. - All audit reports that cover a period of time must list the start date and end date of the period - All audit reports that are for a point in time must list the point in time date - All audit reports must separately include the date the report was issued (which will necessarily be after the end date or point in time date) - All audit reports must be provided to Mozilla within three months of the point in time date or the end date of the period I think that all of these are reasonable and help to ensure that compliance is appropriately monitored. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
