Section 8 of the BRs says that the "CA" shall do XYZ. Section 8.1 of the BRs says "the CA" shall obtain an audit report, etc., but shouldn't it say that the "CA operator" is required to do such things? I believe there is an issue here because the last paragraph of section 8.1 says,
If the CA does not have a currently valid Audit Report indicating compliance with one of
the audit schemes listed in Section 8.4, then, before issuing Publicly‐Trusted
Certificates, the CA SHALL successfully complete a point‐in‐time readiness assessment
performed in accordance with applicable standards under one of the audit schemes
listed in Section 8.4. The point‐in‐time readiness assessment SHALL be completed no
earlier than twelve (12) months prior to issuing Publicly‐Trusted Certificates and SHALL
be followed by a complete audit under such scheme within ninety (90) days of issuing
the first Publicly‐Trusted Certificate.
Most of this language was copied over from the EV Guidelines when the situation was that the EV certificate was being launched for the first time. Thus, a point-in-time readiness assessment was required. This no longer makes any sense.
Shouldn't a "CA operator with a currently valid audit report ... " not be required to have a point-in-time readiness assessment?
Shouldn't section 8.1 be edited to remove the "Point-in-Time readiness assessment" with something else? I.e., for the time it takes to get into root programs, doesn't it make sense to require a period-of-time audit instead of a point-in-time audit?
Are other fixes needed to this section and other parts of section 8?
Section 8 of the BRs says that the "CA" shall do XYZ. Section 8.1 of the BRs says "the CA" shall obtain an audit report, etc., but shouldn't it say that the "CA operator" is required to do such things? I believe there is an issue here because the last paragraph of section 8.1 says,
If the CA does not have a currently valid Audit Report indicating compliance with one of
the audit schemes listed in Section 8.4, then, before issuing Publicly‐Trusted
Certificates, the CA SHALL successfully complete a point‐in‐time readiness assessment
performed in accordance with applicable standards under one of the audit schemes
listed in Section 8.4. The point‐in‐time readiness assessment SHALL be completed no
earlier than twelve (12) months prior to issuing Publicly‐Trusted Certificates and SHALL
be followed by a complete audit under such scheme within ninety (90) days of issuing
the first Publicly‐Trusted Certificate.
Most of this language was copied over from the EV Guidelines when the situation was that the EV certificate was being launched for the first time. Thus, a point-in-time readiness assessment was required. This no longer makes any sense.
Shouldn't a "CA operator with a currently valid audit report ... " not be required to have a point-in-time readiness assessment?
Shouldn't section 8.1 be edited to remove the "Point-in-Time readiness assessment" with something else? I.e., for the time it takes to get into root programs, doesn't it make sense to require a period-of-time audit instead of a point-in-time audit?
Are other fixes needed to this section and other parts of section 8?