Wayne, We will work on how to address this within the EU audit framework based on EN 319 403.
TS 119 403-2 already includes some additional requirements specifically for PTC to cover the CABF concerns for yearly audit and period of time audit review of events since the previous audit. An update to this document to address these concerns is an option that we will consider. My I ask for you patience and forbearance in the time taken to carry out this work. Nick On Monday, November 19, 2018 at 11:01:54 PM UTC, Wayne Thayer wrote: > Hi Nick, > > I had been thinking that 119 403-2 was just intended as an attestation > statement template, similar to the WebTrust reporting guidance [1]. Now I > understand that it can include more substantial requirements. > > This is certainly not a complete list, but specific to this discussion I > would start with the following concerns: > * Reporting on major and minor non-conformities - I have yet to ever see an > ETSI attestation listing a major non-conformity, but I have shared several > examples listing minor non-conformities with ETSI representatives. We need > standards that require consistent disclosure of all types of > non-conformities in attestation statements. Disclosure is required even if > a CA fixes a non-conformity within an acceptable time frame (based on ETSI > standards). > * Disclosure when a CA violates the BR revocation timeline requirements, > even if their actions are perfectly acceptable under ETSI standards for > remediation. > * Disclosure of testing and sampling methodologies used in an audit. > > - Wayne > > [1] http://www.webtrust.org/practitioner-qualifications/item64422.aspx > > On Mon, Nov 19, 2018 at 8:25 AM Nick Pope via dev-security-policy < > [email protected]> wrote: > > > Restating my earlier offer we would welcome a clear statement of any > > concerns or wishes resulting from the discussions, on this or other related > > threads, against the measures already proposed in TS 119 403-2 and its > > parent standard. We can then discuss this with the European stakeholders > > and see how we could best answer these concerns > > > > Nick > > > > On Friday, November 16, 2018 at 4:46:34 PM UTC, Wayne Thayer wrote: > > > On Thu, Nov 15, 2018 at 1:51 PM Ryan Sleevi <[email protected]> wrote: > > > > > ... > > > > > > In either case, I think we're missing normative guidance to objectively > > > distinguish poor judgement from policy violations. To that end, I think > > > Nick's request for us to better define root program expectations is a > > > reasonable one. Analyzing current and past issues can certainly help us > > to > > > define these requirements. > > > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
