Kurt said "I think that the webtrust audit is also based on a certain version 
of the BR and that they might not have been updated yet to check the latest 
version.  So I think the audit report should indicate which version was 
checked.  If an audit was not for the last version that doesn't mean CA 
shouldn't already be complying with the later version or be working on 
complying with it."

- I think adding clarity around version is a good idea.  The audit reports tell 
you the date and, based on the date, you can tell which audit criteria was 
used.  However, the audit reports would improve if they specifically mentioned 
which version of the BRs applied to the audit.  ETSI and Webtrust audit 
criteria lag about six months to one year behind adoption of the standards so 
this info would be very useful when looking at a CA's practices and CPS.

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to