CA/Browser Forum
Home » All CA/Browser Forum Posts » Ballot 46 – Audit Report Availability Timing

Ballot 46 – Audit Report Availability Timing

Ballot 46 – Audit Report Availability Timing (Passed Unanimously)

Motion

Jay Schiavo made the following motion and Bruce Morton and Bjorn Vermo endorsed it:

Motion begins

The current requirements for publication of audit reports are contained in Section 14.1.3:

14.1.3 Annual Independent Audit

(1) During the period in which it issues EV Certificates, the CA and its Root CA MUST undergo and pass either an annual (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit, or an ETSI TS 102 042 v2.1.1 audit. Such audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor.

(2) In cases where the CA is a Government Entity, an annual audit of the government CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified in (1), above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in the WebTrust Program for CAs and the WebTrust EV Program, or the ETSI TS 102 042 v2.1.1 program, and certifies that the government CA has successfully passed the audit.

(3) For both government and commercial CAs, the audit report MUST be made publicly available.

Effective immediately:

Erratum begins

In Section 14.1.3, delete: “(3) For both government and commercial CAs, the audit report MUST be made publicly available.”

And, insert: “(3) For both government and commercial CAs, the CA SHOULD make its audit report publicly available no later than three months after the end of the audit period. In the event of a delay greater than three months, and if so requested by a browser supplier, the CA MUST provide an explanatory letter signed by its auditor.”

Erratum ends

The ballot review period comes into effect at 2100 UTC on 17 June ’10 and will close at 2100 UTC on 24 June ’10. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 6 July ’10.

Votes must be cast by “reply all’ to this email.

A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.

The latest vote received from any representative of a voting member before the close of the voting period will be counted.

Motion ends

Latest releases
Code Signing Requirements
v3.8 - Aug 5, 2024

What’s Changed CSC-25: Import EV Guidelines to CS Baseline Requirements by @dzacharo in https://github.com/cabforum/code-signing/pull/38 Full Changelog: https://github.com/cabforum/code-signing/compare/v3.7...v3.8

S/MIME Requirements
v1.0.7 - Ballot SMC09 - Nov 25, 2024

This ballot includes updates for the following: • Require pre-linting of leaf end entity Certificates starting September 15, 2025 • Require WebTrust for Network Security for audits starting after April 1, 2025 • Clarify that multiple certificatePolicy OIDs are allowed in end entity certificates • Clarify use of organizationIdentifer references • Update of Appendix A.2 Natural Person Identifiers This ballot is proposed by Stephen Davidson (DigiCert) and endorsed by Clint Wilson (Apple) and Martijn Katerbarg (Sectigo).

Network and Certificate System Security Requirements
v2.0 - Ballot NS-003 - Jun 26, 2024

Ballot NS-003: Restructure the NCSSRs in https://github.com/cabforum/netsec/pull/35

Edit this page
The Certification Authority Browser Forum (CA/Browser Forum) is a voluntary gathering of Certificate Issuers and suppliers of Internet browser software and other applications that use certificates (Certificate Consumers).