On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a persistent misunderstanding here. > > https://cert.webtrust.org/SealFile?seal=2092&file=pdf > https://cert.webtrust.org/SealFile?seal=2091&file=pdf > both say that the period when the auditors were examining CNNIC was > November 2, 2015 to February 29, 2016. Obviously, it then took them time > to write up their report and get it published and so on, but that's not > relevant for this. > > Therefore, as WebTrust audits last a year, I would expect CNNIC to begin > being re-examined on or about November 2nd 2016, one year after the > previous examination started. > > Unless I've misunderstood what that date range means. If it means the > period of audit validity, then the audits have already expired, so we > shouldn't rely on them. So it can't be that, otherwise they wouldn't > have submitted them. > > Gerv
Gerv, I think there's some confusion there. CNNIC's audits "expire" on Feb "29" 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months of Feb "29", 2017, CNNIC would be expected to provide a new audit, which covers February 29, 2016 (the end of the previous audit period) until February "29", 2017. This would then be delivered to Mozilla within 3 months - May 29, 2017. I'm not sure I understand your remark "last a year" - merely, there must be an unbroken sequence of audits. The current sequence ends February 29, 2016. The next sequence must not exceed a year, and must be delivered within 3 months of the full year period expiring. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
