CAB Forum Certificate Issuers, Certificate Consumers, and Interested Parties Working to Secure the Web
Ballot 46 – Audit Report Availability Timing (Passed Unanimously)
Motion
Jay Schiavo made the following motion and Bruce Morton and Bjorn Vermo endorsed it:
Motion begins
The current requirements for publication of audit reports are contained in Section 14.1.3:
14.1.3 Annual Independent Audit
(1) During the period in which it issues EV Certificates, the CA and its Root CA MUST undergo and pass either an annual (i) WebTrust Program for CAs audit and (ii) WebTrust EV Program audit, or an ETSI TS 102 042 v2.1.1 audit. Such audits MUST cover all CA obligations under these Guidelines regardless of whether they are performed directly by the CA or delegated to an RA or subcontractor.
(2) In cases where the CA is a Government Entity, an annual audit of the government CA by the appropriate internal government auditing agency is acceptable in lieu of the audits specified in (1), above, provided that such internal government auditing agency publicly certifies in writing that its audit addresses the criteria specified in the WebTrust Program for CAs and the WebTrust EV Program, or the ETSI TS 102 042 v2.1.1 program, and certifies that the government CA has successfully passed the audit.
(3) For both government and commercial CAs, the audit report MUST be made publicly available.
Effective immediately:
Erratum begins
In Section 14.1.3, delete:-
“(3) For both government and commercial CAs, the audit report MUST be made publicly available.”
And, insert:-
“(3) For both government and commercial CAs, the CA SHOULD make its audit report publicly available no later than three months after the end of the audit period. In the event of a delay greater than three months, and if so requested by a browser supplier, the CA MUST provide an explanatory letter signed by its auditor.”
Erratum ends
The ballot review period comes into effect at 2100 UTC on 17 June ’10 and will close at 2100 UTC on 24 June ’10. Unless the motion is withdrawn during the review period, the voting period will start immediately thereafter and will close at 2100 UTC on 6 July ’10.
Votes must be cast by “reply all’ to this email.
A vote in favour of the motion must indicate a clear ‘yes’ in the response. A vote against must indicate a clear ‘no’ in the response. A vote to abstain must indicate a clear ‘abstain’ in the response. Unclear responses will not be counted.
The latest vote received from any representative of a voting member before the close of the voting period will be counted.
Motion ends