Hi, BR section 8.7 (specifically the first paragraph) requires CAs to do a self-audit at least every 3 months. Is this audit externalizable, e.g. through hiring an audit firm to perform this 'self-audit', or must this audit be done internally in the CA? The wording implies 'internally', but by squinting my eyes it could also be 'the CA can get anyone to do this audit[0], as long as it happens'.
Most of the wordings date back to BR v1.0 (s 17.8) and BR v1.3.0, making it difficult to find the rationales of that specific section. -Matthias [0] that is, minus the quarterly DTP audits, as those must be done by a Validation Specialist (which must be 'employed by the CA', thus with squinting technically could be a subcontractor?) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy