Kurt said "I think that the webtrust audit is also based on a certain version of the BR and that they might not have been updated yet to check the latest version. So I think the audit report should indicate which version was checked. If an audit was not for the last version that doesn't mean CA shouldn't already be complying with the later version or be working on complying with it."
- I think adding clarity around version is a good idea. The audit reports tell you the date and, based on the date, you can tell which audit criteria was used. However, the audit reports would improve if they specifically mentioned which version of the BRs applied to the audit. ETSI and Webtrust audit criteria lag about six months to one year behind adoption of the standards so this info would be very useful when looking at a CA's practices and CPS. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy