Confirmed users, Administrators
5,526
edits
CA/BR Audit Guidance: Difference between revisions
m
→Extended Validation
| Line 88: | Line 88: | ||
However, if the CA hierarchy can only be used for EV certificates, the CP/CPS clearly states this, and an annual scan of the certificate database proves that '''all''' end-entity certificates have the EV policy OID, then a separate WebTrust BR audit statement is not needed because it is encompassed within the WebTrust EV audit. In other words, the WebTrust EV audit statement will also suffice as the WebTrust BR audit statement. | However, if the CA hierarchy can only be used for EV certificates, the CP/CPS clearly states this, and an annual scan of the certificate database proves that '''all''' end-entity certificates have the EV policy OID, then a separate WebTrust BR audit statement is not needed because it is encompassed within the WebTrust EV audit. In other words, the WebTrust EV audit statement will also suffice as the WebTrust BR audit statement. | ||
Regarding "the CP/CPS clearly states this," the audited CP/CPS would have to say something | Regarding "the CP/CPS clearly states this," the audited CP/CPS would have to say something to the effect of: "All certificates issued underneath this hierarchy will always have the EV policy OID, and when the EV policy OID is present, we followed our EV policy". In other words, it would '''not''' be sufficient for the CP/CPS to say "'''If''' this EV policy OID is present, we followed our EV policy". | ||
== ETSI BR Audit Statement/Certificate == | == ETSI BR Audit Statement/Certificate == | ||