Let's Encrypt audits


#1

I noticed that for the last tree years Let’s Encrypt published an audit in December on https://letsencrypt.org/repository/:

But not last year on December 15,2018.

  • Is that expected?

I also noticed that cert.webtrust.org, where the audits are hosted, doesn’t give access to old audits (2016 and 2015):

  • Could Let’s Encrypt host itself these expired audits?

All audits, expired or not, could be stored on https://github.com/letsencrypt/website/tree/master/content/en/documents (which maps to https://letsencrypt.org/documents/…), and the link on https://letsencrypt.org/repository/ could first point to webtrust.org and when it expire, be updated to point to https://letsencrypt.org/documents/…, or is there something preventing that?


#2

Those December 15 dates are when the audited period closed. They aren’t the dates that the audits actually get published on our website. It takes some time to get audits actually posted once the review itself is done, as we and the auditors have some paperwork to get done.


#3

And yes, we could and probably should self-host the older audits.


#4

Thanks !

Thanks so I’ve opened that issue: https://github.com/letsencrypt/website/issues/450


#5

The new 2018 audits are up on our website as of yesterday.