On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote:
> On 18/10/16 12:46, Kurt Roeckx wrote:
> > Are you saying you're expecting an audit report from November 2015
> > to November 2016, and so have the period from November to March
> > covered twice?
> There seems to be a persistent misunderstanding here.
> https://cert.webtrust.org/SealFile?seal=2092&file=pdf
> https://cert.webtrust.org/SealFile?seal=2091&file=pdf
> both say that the period when the auditors were examining CNNIC was
> November 2, 2015 to February 29, 2016. Obviously, it then took them time
> to write up their report and get it published and so on, but that's not
> relevant for this.

It does not say when the audit was performed. It says which period
of activity has been audited. Some reports also indicate when they
did the audit, but that's really not important.

Somewhere between 2016-03-01 and 2016-04-05 E&Y went to CNNIC
to audit them for what CNNIC did between 2015-11-02 and 2016-02-29.

If they have an audit that covers a year now, I expect the period to
be covered from 2016-03-01 to 2017-02-28. The auditor would then
have 3 months to perform the audit of that period and write a new
report. The new report (according to the BR rules) should be in by
2017-05-28 (or 2017-05-31, depending on how you want to count
months.) But I think Mozilla starts to count the 3 months from
date of the last report, so they would actually have until


dev-security-policy mailing list

Reply via email to