Public comments are a very important part of the OGF document approval process. Through public comments, documents are given scrutiny by people with a wide range of expertise and interests. Ideally, a OGF document will be self-contained, relying only on the other documents and standards it cites to be clear and useful. Public comments of any type are welcomed, from small editorial comments to broader comments about the scope or merit of the proposed document. The simple act of reading a document and providing a public comment that you read it and found it suitable for publication is very useful, and provides valuable feedback to the document authors.
Thank you for making public comments on this document!
Comments for Document: Guidelines for Auditing Grid CAs Version 1.0
|Author(s):||Y Tanaka, M Viljoen, S Rea|
|Public Comment End:||1 Apr, 2009|
o the included checklist (chapter 3 "Auditing checklist") is a list against an old outdated Classic AP. Update is needed to reflect the current (Classic) AP
o also the document does not state that it must be updated when there is a newer version of the Classic AP available than it references
o the "Auditing checklist" would be of more use if it is split out into a separate referenced document or appendix in spreadsheet format; this way it is easier to create additional spreadsheets for the other IGTF-APs and include them as appendix or external reference as well
2. Layout nit-picks:
o all bullets of bulleted lists should be standard bullet dots
o for smoother reading all the text paragraphs should be printed justified
The addition of the rfc 2527 paragraph numbers is helpful for those CAs that have not updated their CPS.
Would it be possible to add a reference to the IGTF Audit checklist for Grid CAs Version 4.1. I didn't find it starting from the IGTF home page.
Mary Thompson, LBNL
Keeping and more important maintaining up-to date information duplicated in two or more documents in different formats is a lot of effort.
Below is minor comment:
The checklist (15) defines how to keep the pass phrase of the encrypted private key, but the evaluation method describes an evaluation method for the CA private key backup.
There is a TYPO, "??", in the table of the checklist (23).
Some minor comments:
- this document should come in many flavours, one for each AP. Each of those should bear the version of the corresponding AP in their name
- consequently, the Auditing Guideline documents should be revised & updated everytime the correspondig AP changes (i.e. following every PMA meeting:)
- I agree on the usefulness of spreadsheet versions
- two short remarks on particular cheklist items:
(2) Is there a single CA organisation per country, large region or international organization?
This should rather be discussed within the PMAs, and in some cases could be hard to judge/assess for an external auditor.
(52) How is the procedure of auditing described in the CP/CPS? (for RFC 3647)
This might seem out of place here as this is the very document that describes such an audit - CPS documents, on the other hand, are written against APs, RFCs and minimum requirements, and may or may not comply with anything written here abut the specifics of an audit. Perhaps the audit requirements / specifications described in a CPS (if there are any) could be recorded in the pre-examination phase of an audit?
Adore the layout, do you mind telling where you downloaded the design from?