Let's Encrypt audits


#1

I noticed that for the last tree years Let’s Encrypt published an audit in December on https://letsencrypt.org/repository/:

But not last year on December 15,2018.

  • Is that expected?

I also noticed that cert.webtrust.org, where the audits are hosted, doesn’t give access to old audits (2016 and 2015):

  • Could Let’s Encrypt host itself these expired audits?

All audits, expired or not, could be stored on https://github.com/letsencrypt/website/tree/master/content/en/documents (which maps to https://letsencrypt.org/documents/…), and the link on https://letsencrypt.org/repository/ could first point to webtrust.org and when it expire, be updated to point to https://letsencrypt.org/documents/…, or is there something preventing that?


#2

Those December 15 dates are when the audited period closed. They aren’t the dates that the audits actually get published on our website. It takes some time to get audits actually posted once the review itself is done, as we and the auditors have some paperwork to get done.


#3

And yes, we could and probably should self-host the older audits.


#4

Thanks !

Thanks so I’ve opened that issue: https://github.com/letsencrypt/website/issues/450


#5

The new 2018 audits are up on our website as of yesterday.


#6

So it may explains why ISRG Root X1 was listed in the Audit Reminder Emails of 15 January. I guess it’s resolved now, as it was in the 3-month period.

https://groups.google.com/d/msg/mozilla.dev.security.policy/IjgFwzGI_H0/8J8LZNlaDgAJ

Subject: Summary of January 2019 Audit Reminder Emails
Date: Tue, 15 Jan 2019 20:01:18 +0000 (GMT)

Mozilla: Audit Reminder
Root Certificates:

ISRG Root X1
Standard Audit:
https://bug1441413.bmoattachments.org/attachment.cgi?id=8954264
Audit Statement Date: 2018-01-25
BR Audit: https://bug1441413.bmoattachments.org/attachment.cgi?id=8954265

BR Audit Statement Date: 2018-01-25
CA Comments: null