Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Audit report timing
85 views
Skip to first unread message
Peter Bowen
Dec 7, 2015, 1:24:40 PM12/7/15
to mozilla-dev-s...@lists.mozilla.org
The current CA policy does not specify when audit reports are due to
Mozilla relative to the end date of the audit period. It only says
that CAs much provide the reports to Mozilla within 30 days of
receiving the report from their auditor.
For the next version of the CA policy, I suggest that this be
remedied. I propose the following revised requirements:
- All audit reports must clearly state whether they are for a period
of time or point in time.
- All audit reports that cover a period of time must list the start
date and end date of the period
- All audit reports that are for a point in time must list the point
in time date
- All audit reports must separately include the date the report was
issued (which will necessarily be after the end date or point in time
date)
- All audit reports must be provided to Mozilla within three months of
the point in time date or the end date of the period
I think that all of these are reasonable and help to ensure that
compliance is appropriately monitored.
Thanks,
Peter
Mozilla relative to the end date of the audit period. It only says
that CAs much provide the reports to Mozilla within 30 days of
receiving the report from their auditor.
For the next version of the CA policy, I suggest that this be
remedied. I propose the following revised requirements:
- All audit reports must clearly state whether they are for a period
of time or point in time.
- All audit reports that cover a period of time must list the start
date and end date of the period
- All audit reports that are for a point in time must list the point
in time date
- All audit reports must separately include the date the report was
issued (which will necessarily be after the end date or point in time
date)
- All audit reports must be provided to Mozilla within three months of
the point in time date or the end date of the period
I think that all of these are reasonable and help to ensure that
compliance is appropriately monitored.
Thanks,
Peter
Jeremy Rowley
Dec 7, 2015, 1:35:09 PM12/7/15
to Peter Bowen, mozilla-dev-s...@lists.mozilla.org
These are all things the auditors control, not necessarily CAs. Enacting something like this would require WebTrust and ETSI buy-in to update the templates and information. If you said the CA must clearly indicate in their submission that X, Y, and Z must happen, then it makes more sense (as the CA is the one communicating with Mozilla, not the auditor).
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Kurt Roeckx
Dec 7, 2015, 1:48:08 PM12/7/15
to Peter Bowen, mozilla-dev-s...@lists.mozilla.org
On Mon, Dec 07, 2015 at 10:24:34AM -0800, Peter Bowen wrote:
> The current CA policy does not specify when audit reports are due to
> Mozilla relative to the end date of the audit period. It only says
> that CAs much provide the reports to Mozilla within 30 days of
> receiving the report from their auditor.
>
> For the next version of the CA policy, I suggest that this be
> remedied. I propose the following revised requirements:
>
> - All audit reports must clearly state whether they are for a period
> of time or point in time.
> - All audit reports that cover a period of time must list the start
> date and end date of the period
> - All audit reports that are for a point in time must list the point
> in time date
> - All audit reports must separately include the date the report was
> issued (which will necessarily be after the end date or point in time
> date)
I think this are all very useful things. I probably requested the
> The current CA policy does not specify when audit reports are due to
> Mozilla relative to the end date of the audit period. It only says
> that CAs much provide the reports to Mozilla within 30 days of
> receiving the report from their auditor.
>
> For the next version of the CA policy, I suggest that this be
> remedied. I propose the following revised requirements:
>
> - All audit reports must clearly state whether they are for a period
> of time or point in time.
> - All audit reports that cover a period of time must list the start
> date and end date of the period
> - All audit reports that are for a point in time must list the point
> in time date
> - All audit reports must separately include the date the report was
> issued (which will necessarily be after the end date or point in time
> date)
same thing but not that clear.
> - All audit reports must be provided to Mozilla within three months of
> the point in time date or the end date of the period
the audit period, not about the point in time date.
Kurt
David E. Ross
Dec 7, 2015, 6:22:34 PM12/7/15
to mozilla-dev-s...@lists.mozilla.org
requires school districts to have annual audits. The audits for our
district covered the July-to-June fiscal year. The reports were
received generally in November or December (5 to 6 months after the
period audited).
In the USA, individual tax returns for income received during a calendar
year are not due until 15 April, 4.5 months after the end of the taxed
year.
I think
> within three months of the point in time date or the end date of
> the period
does not give the certification authority sufficient time to provide an
> the period
audit report to Mozilla.
--
David E. Ross
The Crimea is Putin's Sudetenland.
The Ukraine will be Putin's Czechoslovakia.
See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>.
Varga Viktor
Mar 1, 2016, 4:57:26 PM3/1/16
to mozilla-dev-s...@lists.mozilla.org
> > I think
> > within three months of the point in time date or the end date of
> > the period
> does not give the certification authority sufficient time to provide an
> audit report to Mozilla.
>
> --
> David E. Ross
Also its generaly done yearly, but the timeing of the audit not so exact, sometimes the certification delay.
I think its enough to define the frequency of audits, not the exact date.
Maybe Salesforce can alert if some CA's audits get closer to its end of validity.
regards, Viktor Varga
0 new messages