On 9/17/14, 2:33 AM, Kurt Roeckx wrote:
On 2014-09-17 00:52, Kathleen Wilson wrote:
https://wiki.mozilla.org/CA:BaselineRequirements#WebTrust_BR_Audit_Statement
https://wiki.mozilla.org/CA:BaselineRequirements#ETSI_BR_Audit_Statement.2FCertificate
It's not clear that you need either of those 2.
Well, the terminology used by WebTrust and ETSI auditors is different.
Maybe we need to be
more explicit in saying which audit are acceptable for what?
Both ETSI TS 102 042 PTC-BR and WebTrust BR are accepted. So, I'm not
sure what more can be said.
For the first it has:
The BR audit statement may be qualified and list BRs that the CA is not
yet in compliance with. The second BR audit (the following year) is
expected to confirm that the issues that were listed in the previous BR
audit have been resolved.
Shouldn't something like that also be in the 2nd?
I asked someone who is familiar with ETSI audits, and he said:
==
Well, webtrust and ETSI are different, both are used to evaluate CAs and
with that evaluation create an audit report with the findings, but the
term “qualified” is different.
All ETSI audits are qualified because are done by qualified (we used
accredited which is a more accurate term) assessors and the auditors or
assessors or auditing body (as you wish) have to follow the rules
indicated in ISO 17065, or ISO 17021 or ISO 27006 to perform this audits
and in these ISO standards is indicated how to perform the audit and
what to do in case of the type of findings encountered.
So, if there are findings, minor ones, then the audit is passed, the
auditor creates a positive report and gives you a certificate and
between parties is established a Plan for correcting the findings within
a timing and based on scheduled, and the auditor indicates if that
procedure is correct and will check during the year if the actions has
been done, and after a year then review again that those findings are
correctly closed according to what has agreed.
If there a major findings or non conformities to the audit criteria,
then depending on where the finding was encountered, the auditor can
decide not to give the audit certificate, which means that has failed
and will have to solve those deficiencies and apply again from the
beginning, or can give no more than 3 months to solve them but giving
the certificate, and if don´t do it will reject the certificate and
remove from its DB.
So, basically we do the same than webtrust but with some slightly
differences, more in the wording of the term qualified. So if you want
to add a similar statement (which personally I won´t do it because is
inherit to the ETSI audit) I would say:
“The BR audit report may list the BRs that the CA is not in compliance
yet. The following audit is expected to confirm ….”
==
So, is it worthwhile to add that to the ETSI Audit section?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
