On Jul 24, 2:18 pm, Frank Hecker <[EMAIL PROTECTED]> wrote: > Eddy Nigg wrote: > > Frank, I'd like to know (again) what our policy is in regards of EV > > audit requirements. As I understand from the bug report, Wells Fargo > > didn't actually absolved the EV audit, but some EV readiness audit. I > > think we are past the time where we'd accept such audits? > > A quick answer, I can research more later... > > We had a discussion about EV audits against the draft EV guidelines, and > decided we would stop accepting such audits after a certain date (June > 30, 2008?). > > But I think EV readiness audits are a different issue. IIRC readiness > audits are done when a CA has implemented the infrastructure for EV but > has not yet accumulated a significant operational history of EV > issuance. So any CA that is new to EV will likely do a readiness audit > first. > > IIRC this was true of some other CAs we've dealt with -- they started > out with readiness audits, started issuing EV certs, and then by the > time we were able to consider their requests in some cases they were > still covered by the readiness audit and in other cases had advanced to > a regular audit. > > Frank > > -- > Frank Hecker > [EMAIL PROTECTED]
Not my issue, but I would like to add some clarification. Its a chicken or the egg problem. A CA cannot start issuing EV certificates without first passing an EV Pre-Issuance Readiness Audit (see 35a of the Guidelines). On the other hand, a CA cannot have an WebTrust Audit for EV until they have been in operation for a minimum of two months. The pre-issuance readiness audit was put in place to bootstrap the process. >From the Mozilla point of view, you might not be running into this issue with very many CAs. Most EV CAs had their pre-issuance readiness audit completed at the end of 2006 in order to be included in Microsoft Vista/IE7 releases of Jan 2007. The subsequent WebTrust for EV audits were completed later in 2007 at the time of their annual WebTrust for CA audits. As Mozilla was just considering CAs for EV status in 2008, most EV CAs would already have had a WebTrust for EV audit report in hand. Hope this helps. Regards, Bruce. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
