The current CA policy does not specify when audit reports are due to Mozilla relative to the end date of the audit period. It only says that CAs much provide the reports to Mozilla within 30 days of receiving the report from their auditor.
For the next version of the CA policy, I suggest that this be remedied. I propose the following revised requirements: - All audit reports must clearly state whether they are for a period of time or point in time. - All audit reports that cover a period of time must list the start date and end date of the period - All audit reports that are for a point in time must list the point in time date - All audit reports must separately include the date the report was issued (which will necessarily be after the end date or point in time date) - All audit reports must be provided to Mozilla within three months of the point in time date or the end date of the period I think that all of these are reasonable and help to ensure that compliance is appropriately monitored. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
