Hi,

BR section 8.7 (specifically the first paragraph) requires CAs to do a
self-audit at least every 3 months. Is this audit externalizable, e.g.
through hiring an audit firm to perform this 'self-audit', or must
this audit be done internally in the CA?
The wording implies 'internally', but by squinting my eyes it could
also be 'the CA can get anyone to do this audit[0], as long as it
happens'.

Most of the wordings date back to BR v1.0 (s 17.8) and BR v1.3.0,
making it difficult to find the rationales of that specific section.


-Matthias

[0] that is, minus the quarterly DTP audits, as those must be done by
a Validation Specialist (which must be 'employed by the CA', thus with
squinting technically could be a subcontractor?)
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to