On 31/10/17 00:13, Kathleen Wilson wrote: > Yes, that meets our requirement regarding stating the audit period > and if it is a period-of-time/full audit. The problem is that most > ETSI audit statements that we get do not say this. And it has been an > uphill battle for me to get ETSI audit statements to say this.
But is the problem that ETSI audit statements don't _say_ this, or is the problem that ETSI audits don't _do_ this? It seems to me the problem is the latter - i.e. it's not a problem with correctly describing what was done, it's a problem with what was actually done (or not done). Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy