On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a persistent misunderstanding here. > > https://cert.webtrust.org/SealFile?seal=2092&file=pdf > https://cert.webtrust.org/SealFile?seal=2091&file=pdf > both say that the period when the auditors were examining CNNIC was > November 2, 2015 to February 29, 2016. Obviously, it then took them time > to write up their report and get it published and so on, but that's not > relevant for this.
It does not say when the audit was performed. It says which period of activity has been audited. Some reports also indicate when they did the audit, but that's really not important. Somewhere between 2016-03-01 and 2016-04-05 E&Y went to CNNIC to audit them for what CNNIC did between 2015-11-02 and 2016-02-29. If they have an audit that covers a year now, I expect the period to be covered from 2016-03-01 to 2017-02-28. The auditor would then have 3 months to perform the audit of that period and write a new report. The new report (according to the BR rules) should be in by 2017-05-28 (or 2017-05-31, depending on how you want to count months.) But I think Mozilla starts to count the 3 months from date of the last report, so they would actually have until 2016-07-05. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
