All,
I will greatly appreciate your ideas about the following.
In the Minimum Expectations section in
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
I added:
""
* Both ETSI and WebTrust Audits must:
** Disclose each location that was included in the scope of the audit,
as well as whether the inspection was physically carried out in person.
""
My question: What should "location" mean in the above requirement?
The problem is that we require public-facing audit statements, so I do
not want sensitive or confidential information in the audit statements,
such as the exact physical addresses of CA Operations and root cert
private key storage.
What information could be added to audit statements to give us a clear
sense about which CA facilities were and were not audited?
For example, if a CA happens to have two facilities in the same city
that should be audited, how can the audit statement clearly indicate if
all of that CA's facilities were audited without providing the exact
physical addresses?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
