Kurt Roeckx  wrote:

> Since the previous audit wasn't one that covered a whole year, I
> expect the new audit to start where the previous one stopped and
> have it a year from that point.

this might be more of a question for cabforum but why do audits have to be 

i would think that a new audit would at least look at a random small period 
from the last audit (let's say one month, either at middle or end or around 
important event dates, like the SHA1 issuance ending on Dec 31st) and re-audit 
again that small period just to check that the previous auditor didn't miss any 
glaring issues.

If the audit report must cover a non-overlapping time period then have a 
separate section in the report for this small overlapped period and report it 
as such but at least it provides some checks that the previous auditor didn't 
miss  obvious stuff.

This should be especially true (IMHO) for the case of E&Y HK where Gerv said 
for CNNIC:

"I think the fairest thing is to allow them to proceed with the inclusion
application, get them in the queue, and follow through all the steps,
expecting that by the time they get to the end, their new audit (by
another auditor) will be completed. Assuming it is good, we can include

I'm ok with that but i'd like to also see that the new auditor looks at (and 
reports on) a random sample time period that's covered by the the previous 

Adrian R.
dev-security-policy mailing list

Reply via email to