On 23/3/2018 9:44 μμ, Wayne Thayer via dev-security-policy wrote: > Therefore, the only action I plan to take on this is > to ask the WebTrust Task Force for their opinion on "wind-down" audits, and > also to ask them if it is possible for a CA to obtain a period-of-time > audit for a hierarchy that hasn't issued any certificates in the period. I > will appreciate any additional suggestions that could help to resolve this > issue.
Auditors check what is required according to their audit criteria. There is no different "set of criteria" for "wind-down" CAs. Common sense dictates that a Qualified Auditor will check all the requirements and note down any divergence from the standards. Not issuing Certificates is not a divergence but, for example, not Issuing CRLs at the proper interval mentioned in the standards, is a non-conformance. If a CA doesn't actively issue certificates makes the audit days "possibly" fewer because the sampling verification is less compared to a CA that actively issues Certificates. I think both WebTrust and ETSI have a standard for Auditors to calculate audit days so there is an absolute minimum for all the controls and then they add days according to the CA's operations, locations and so on. In other words, an audit for a "wind-down" CA might be cheaper compared to an actively issuing CA but there is a baseline. Dimitris. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy