[cabfpub] BRs, audits and historical point-in-time events

Gervase Markham gerv at mozilla.org
Tue Jul 22 13:59:27 UTC 2014


The following situation in regard to the BRs recently arose. What is the
wisdom of the group?

* Ca Foo, Inc. wishes to include their root in Mozilla products.

* By Mozilla policy, this requires an audit to check they are following
  the BRs.

* CA Foo's auditors are Bar Audit Corp.

* Some time in 2012, CA Foo created a root.

* Bar Audit Corp audited that root creation process according to
  WebTrust 2.0 and WebTrust for EV 1.3.

* However, they did not audit it according to the BRs.

* The BRs require, in section 17.7, that all roots created after 1st
  July 2012 meet certain procedural criteria.

* However, Bar Audit Corp can't go back and reaudit a one-time event
  according to different criteria.

* How then can CA Foo pass its BR audit?

To generalise, the problem is that the BRs require something which is
difficult to do in retrospect if you didn't do it at the time - which
may be because you didn't even know about the BRs or that they were
relevant to you. How do we handle that?

Gerv



More information about the Public mailing list