Kyle Hamilton wrote: > What are the continuing audit requirements? ARE there any continuing > audit requirements? How do the audit guidelines for EV differ from > the audit guidelines for WebTrust? And where are the audits made > public? (Are they made public? If not, what aspects are made public? > Are the number of exceptions made public? Would the number of > exceptions for each individual point in the CPS be made public?)
With respect to EV in particular, the EV guideline documents are public and have been public for some time (for at least a year, probably longer); the relevant documents are the guidelines themselves and the WebTrust EV criteria used for WebTrust EV audits: http://www.cabforum.org/EV_Certificate_Guidelines.pdf http://www.cabforum.org/WebTrustAuditGuidelines.pdf These documents are linked to from the Mozilla CA policy page http://www.mozilla.org/projects/security/certs/policy/ and from the CAB Forum site (http://www.cabforum.org/) (look under "Documents" at the top of the page). The EV guidelines mandate an annual audit according to the WebTrust for CAs and WebTrust EV criteria (or equivalent criteria as approved by the CAB Forum). Summary results of these audits are published on the webtrust.org; this is the so-called "Audit Report and Management Assertions" document. (The WebTrust people have just started posting WebTrust EV reports; some of the earlier EV reports are available only from the CA.) For examples see the WebTrust-related audit links in the Mozilla pending CA list: http://www.mozilla.org/projects/security/certs/pending/ These documents are summary documents; they do not contain detailed checklists of compliance (or non-compliance) with particular criteria and CPS requirements. I suspect that if any problems are found during an audit the typical course of action is to correct the problems and have the auditors verify the corrections, so that the final public report can be clean. However note that I have in fact seen WebTrust audit reports that list one or more deficiencies in compliance; in any such cases we would have to judge whether or not the deficiencies were material in relation to our policy and its goals. I can't remember if the vanilla WebTrust for CAs criteria require annual audits or not. However note that the CPSs for many CAs do specify an annual audit requirement. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
