Hi Ben, Thanks for the clarification, but I think any site that hosts CA operations must be in the scope of the audit. I can't figure out an scenario as you describe where there's a successful audit report. Best, Pedro
El jueves, 29 de junio de 2023 a las 16:44:16 UTC+2, Ben Wilson escribió: > Hi Pedro, > If the CA has two sites, one primary and one secondary, and if the > secondary site hasn't been audited during the audit period, then the audit > letter should mention that. > Thanks, > Ben > > On Thu, Jun 29, 2023 at 1:39 AM Pedro Fuentes <[email protected]> wrote: > >> Hi Ben, >> I'm a bit puzzled about how to specify the locations that "were not >> audited". >> What does this mean? >> Thanks! >> Pedro >> >> El martes, 27 de junio de 2023 a las 17:37:44 UTC+2, Ben Wilson escribió: >> >>> All, >>> >>> Section 5.1 of the CCADB Policy >>> https://www.ccadb.org/policy#51-audit-statement-content now specifies >>> required audit letter content very similar to what is currently in section >>> 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed >>> that much of the current language in MRSP § 3.1.4 be removed. GitHib >>> Issue#239 <https://github.com/mozilla/pkipolicy/issues/239>. However, >>> two items do not appear in the CCADB’s list of required audit content—(1) >>> locations audited or not audited and (2) auditor qualifications. >>> Therefore, >>> we are proposing the following language for the first paragraph of section >>> 3.1.4. >>> >>> --- Begin MRSP Edit --- >>> >>> The publicly-available documentation relating to each audit MUST contain >>> the information required by section 5.1 of the CCADB Policy and the CA >>> locations that were or were not audited. Audit reports must also contain or >>> be accompanied by the name of the lead auditor and qualifications of the >>> team performing the audit, as required by section 3.2. >>> >>> --- End MRSP Edit --- >>> >>> See also >>> https://github.com/Mozilla/pkipolicy/compare/bf36841af0686676f0435769db8c641d7d17dfb3..8968d9b6fedc1f94f4afa6a59ce609b759f497e6 >>> >>> >>> Please provide us with your comments or suggestions. >>> >>> Thanks, >>> >>> Ben and Kathleen >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/43e2c679-d96d-4ec3-9ab6-29c67b5262a1n%40mozilla.org.
