Hi Kathleen,
On 2015-01-22 22:43, Kathleen Wilson wrote:
All,
As you know, we've moved the CA Program data from spreadsheets into
SalesForce.
We are now creating a program that will be run once per month to
automatically send email to CAs when audit statements are past due;
meaning that the audit statement date is over a year old.
I think it's great that you want to automate this.
Reading the baseline requirements, they have 3 months after the audit
period ends. Wouldn't it make more sense to do it 30 days after the
audit period ends rather than based on when the audit statement was made?
For example if the last audit period was 1 January 2013 - 31 December
2013 with an audit statement in March 2014, you would only send the
reminder in April 2014 which is after the 3 months time they have. It
would make more sense to send this end January / begin February.
Here is the audit statement information we have for these root
certificates.
Audit: <Standard Audit>
Audit Statement Date: <Standard Audit Statement Date>
BR Audit: <BR Audit>
BR Audit Statement Date: <BR Audit Statement Date>
EV Audit: <EV Audit>
EV Audit Statement Date: <EV Audit Statement Date>
Maybe it should also mention the covered period and by when they should
deliver the statement?
The BR say this:
| In the event of a delay greater than three months, and if so requested
| by an Application Software Supplier, the CA SHALL provide an
| explanatory letter signed by the Qualified Auditor.
Maybe something like that should be mentioned in one of the mails?
Kurt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
