1. Audit standards (WebTrust and ETSI for example) check that the CA complies with its CPS - and that includes subordinates and external RAs
>From Webtrust: "In the hierarchical model, the root CA maintains the established "community of trust" by ensuring that each entity in the hierarchy conforms to a minimum set of practices. Adherence to the established policies may be tested through audits of the subordinate CAs and, in a number of cases, the RAs." 2. The EV audit programme is at: http://www.cabforum.org/WebTrustAuditGuidelines.pdf >From that doc: "The CA maintains controls and procedures to provide reasonable assurance that: applicable requirements of the CA/Browser Forum Guidelines for Extended Validation Certificates are included (directly or by reference) in contracts with subordinate CAs, RAs, Enterprise RAs, and subcontractors that involve or relate to the issuance or maintenance of EV Certificates, and the CA monitors and enforces compliance with the terms of the contracts." _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
