On Thursday, December 12, 2013 4:56:49 PM UTC+1, Jan Schejbal wrote: > > The policy > > <http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/> > > says that "We require that all CAs whose certificates are distributed > with our software products provide us an updated statement annually of > attestation of their conformance to the stated verification requirements > and other operational criteria by a competent independent party or > parties, as outlined in this policy." > > Am I correct in the assumption that every CA should have an audit report > dated within the last 12-18 months (to allow for some grace period while > the audit is finishing) on file, irrespective of "validity" dates of the > reports?
So reading the CAB Baseline requirements, it says: | 17.2 Audit Period | The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods. | An audit period MUST NOT exceed one year in duration. So at least if it's valid for 3 years as you indicate, that doesn't follow the requirements. In 17.3 it states: | [T]he CA SHOULD make its Audit Report publicly available no later than three months after the end of the audit period. In the event of a delay greater than three months, and if so requested by an Application Software Supplier, the CA SHALL provide an explanatory letter signed by the Qualified Auditor. So it's my understanding that if we have a report from January 2012 to December 2012, we should get a new report after that no later than April 2014. That is, if they make a report for January 2013 to December 2013, 3 months after that period we should get the new report, or a reason why we didn't get it yet. Looking at a random report that covers that period (2012), it was made in March 2013, and it would make sense that we get a new one a year later. Maybe it would help that the spreadsheet also says what period is covered, or when it's going to expire. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
