On Tue, Oct 25, 2016 at 12:12:47PM -0700, Ryan Sleevi wrote: > That is, according to the BRs, the issuer of a technically constrained > subordinate CA has a BR-obligation to ensure that their TCSCs are adhering to > the BRs and the issuing CA's policies and practices, as well as conduct a > sampling audit quarterly.
My expection of this is that the CA (CA1) that issued such a constrained CA (CA2) is responsible for auditing CA2. when CA is then audited, part of that audit is that they check that the audits of CA2 have been done. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
