All,
Section 5.1 of the CCADB Policy https://www.ccadb.org/policy#51-audit-statement-content now specifies required audit letter content very similar to what is currently in section 3.1.4 of the Mozilla Root Store Policy (MRSP). And so it has been proposed that much of the current language in MRSP § 3.1.4 be removed. GitHib Issue#239. However, two items do not appear in the CCADB’s list of required audit content—(1) locations audited or not audited and (2) auditor qualifications. Therefore, we are proposing the following language for the first paragraph of section 3.1.4.
--- Begin MRSP Edit ---
The publicly-available documentation relating to each audit MUST contain the information required by section 5.1 of the CCADB Policy and the CA locations that were or were not audited. Audit reports must also contain or be accompanied by the name of the lead auditor and qualifications of the team performing the audit, as required by section 3.2.
--- End MRSP Edit ---
Please provide us with your comments or suggestions.
Thanks,
Ben and Kathleen