Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-20 Thread Gervase Markham via dev-security-policy
On 12/04/17 10:47, Gervase Markham wrote: > The proposal is to add the following bullets to section 3.1.3 ("Public > Audit Information"), perhaps reordering the list as appropriate: Adopted as proposed, with the exception (for simplicity) of removing the option of providing a "SHA1" fingerprint.

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Ryan Sleevi via dev-security-policy
On Wed, Apr 12, 2017 at 10:15 AM, Peter Bowen wrote: > On Wed, Apr 12, 2017 at 5:57 AM, Ryan Sleevi via dev-security-policy > wrote: > > > > A certificate hash does provide distinct value. > > > > The certificate hash is what is desired.

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Kurt Roeckx via dev-security-policy
On 2017-04-12 16:15, Peter Bowen wrote: On Wed, Apr 12, 2017 at 5:57 AM, Ryan Sleevi via dev-security-policy wrote: A certificate hash does provide distinct value. The certificate hash is what is desired. Yes, there could be multiple certificates. But

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Kurt Roeckx via dev-security-policy
On 2017-04-12 14:19, Jakob Bohm wrote: On 12/04/2017 12:44, Kurt Roeckx wrote: On 2017-04-12 11:47, Gervase Markham wrote: There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Jakob Bohm via dev-security-policy
On 12/04/2017 12:44, Kurt Roeckx wrote: On 2017-04-12 11:47, Gervase Markham wrote: There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Kurt Roeckx via dev-security-policy
On 2017-04-12 11:47, Gervase Markham wrote: There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some requirements here, in section 3.1.3, mostly

Re: Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Jakob Bohm via dev-security-policy
On 12/04/2017 11:47, Gervase Markham wrote: There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some requirements here, in section 3.1.3, mostly

Policy 2.5 Proposal: Expand requirements about what an Audit Statement must include

2017-04-12 Thread Gervase Markham via dev-security-policy
There are some items that it would be very helpful for auditors to state in their public-facing audit documentation so that we can be clear about what was covered and what was not. The policy already has some requirements here, in section 3.1.3, mostly relating to dates. The proposal is to add