Hi Ryan, >My request was one of just taking a few days / a week to re-examine what
>the current BRs are, using your knowledge of your policies and practices, >and make sure that all methods are consistent. For example, the 64-bits of >entropy, the aligned-with-3.2.2.4.6 method of domain validation, etc. That >your auditor did not flag these implies that your auditor did not do that >level of analysis, but that's also not surprising given the role/function >of auditors (some auditors do this as part of their engagements, some >auditors do not, and generally both are seen as complying with the >necessary level of professional duty; just the ones that do are better >auditors, and the ones that don't may miss stuff that finds them removed as >trusted auditors in the future) >Because we've seen some CAs argue that "You didn't explicitly say we had to >follow X in the BRs", I wanted to avoid that situation, by just making sure >Kamu SM warrants that "We've read the BRs 1.4.2, we've examined our >policies and practices, we believe they're consistent and apply" (or "We >identified items X, Y, Z that we are fixing by doing A, B, C") Upon your request, we re-examined the current version of CAB BR (v.1.4.2) with our CPS document that describes our way of doing business. We did this work under these main headings; Identity Proofing, Technologies, Life Cycle Management, Certificate Profiles and Auditing Requirements. We read all related titles in CPS and CAB Br 1.4.2. Besides, so as not to miss any amendment item stated in section 1.2.2 (Relevant Dates) of CAB BR v1.4.2. we have stated Kamu SM approach for each item. The table is in this link: https://drive.google.com/file/d/0B3Yp-DkgL_W-OTR3cWxuOE84bmM/view?usp=sharing As a result, we could not notice any major difference between our practices and CAB BR v.1.4.2. The minor differences stated in the table will be fixed as soon as possible and be ready for the next audit. We hope that our examination meets your request and if there exists any other point you want to know please do not hesitate to ask. Best regards, _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
