CA/BR Audit Guidance: Difference between revisions

CA/BR Audit Guidance (view source)

Revision as of 21:58, 6 November 2014

1,315 bytes added , 6 November 2014

→‎WebTrust BR Audit Statement

Kathleen Wilson

Confirmed users, Administrators

5,526

edits

@@ Line 77: / Line 77: @@
 Definition: A ''qualified'' audit statement is issued when the auditor encountered one or more instances in which the CA does not comply with the audit criteria, however the CA is in compliance with the rest of the audit criteria.
+==== Extended Validation (EV) ====
+* PROPOSED Text -- under discussion in mozilla.dev.security.policy
+If the root certificate is enabled for EV treatment, then the following three public-facing audit statements are required annually:
+# WebTrust CA -- [http://www.webtrust.org/homepage-documents/item54279.pdf WebTrust Principles and Criteria for Certification Authorities]
+# WebTrust BR -- [http://www.webtrust.org/homepage-documents/item79806.pdf WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security]  (or [http://www.webtrust.org/homepage-documents/item72052.docx Principles and Criteria - SSL Baseline Requirements])
+# WebTrust EV -- [http://www.webtrust.org/homepage-documents/item79807.pdf WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL] (or [http://www.webtrust.org/homepage-documents/item76003.pdf Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria])
+However, if the CA hierarchy can only be used for EV certificates, and the CP/CPS clearly states this, then a separate WebTrust BR audit statement is not needed because it is encompassed within the WebTrust EV audit. In other words, the WebTrust EV audit statement will also suffice as the WebTrust BR audit statement.
 == ETSI BR Audit Statement/Certificate ==