CA:MaintenanceAndEnforcement: Difference between revisions

We depend on audit statements to confirm that CAs are continuing to maintain their operations in conformance with Mozilla's CA Certificate Policy. When reviewing an audit statement, if the statement is provided on the webtrust.org website or an known auditor's website or on a government certified website, then we assume the statement is legitimate, and review the statement to make sure it covers the root certs that are included in Mozilla's program. If the audit statement is provided directly by the CA, then we first check the qualifications of the auditor, and then send email directly to the auditor to confirm the authenticity of the audit statement. To check the qualifications of the auditor, if it is not someone we have previously verified, we check the [http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx webtrust.org website] or the government's website to see if the auditor is accredited. If the auditor claims to be AICPA/CICA/CISA accredited and we don't recognize them or they are not listed on a trusted website as being accredited, then we will send email to a representative of CICA or CISA, depending on the audit credentials that are being claimed.