On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
> There seems to be a persistent misunderstanding here.
> https://cert.webtrust.org/SealFile?seal=2092&file=pdf
> https://cert.webtrust.org/SealFile?seal=2091&file=pdf
> both say that the period when the auditors were examining CNNIC was
> November 2, 2015 to February 29, 2016. Obviously, it then took them time
> to write up their report and get it published and so on, but that's not
> relevant for this.
> Therefore, as WebTrust audits last a year, I would expect CNNIC to begin
> being re-examined on or about November 2nd 2016, one year after the
> previous examination started.
> Unless I've misunderstood what that date range means. If it means the
> period of audit validity, then the audits have already expired, so we
> shouldn't rely on them. So it can't be that, otherwise they wouldn't
> have submitted them.
> Gerv


I think there's some confusion there. CNNIC's audits "expire" on Feb "29" 2017 
(I say "29" because of ambiguity on "1 year"). That is, within 3 months of Feb 
"29", 2017, CNNIC would be expected to provide a new audit, which covers 
February 29, 2016 (the end of the previous audit period) until February "29", 
2017. This would then be delivered to Mozilla within 3 months - May 29, 2017.

I'm not sure I understand your remark "last a year" - merely, there must be an 
unbroken sequence of audits. The current sequence ends February 29, 2016. The 
next sequence must not exceed a year, and must be delivered within 3 months of 
the full year period expiring.
dev-security-policy mailing list

Reply via email to