On Fri, Feb 7, 2020 at 12:27 PM Dimitris Zacharopoulos via dev-security-policy <[email protected]> wrote:
> Finally, I don't think auditor professional ethics have anything to do > with this discussion. Both audit schemes allow for reports to be updated > otherwise we wouldn't even have this option on the table. Challenging > audit schemes is good and healthy but should probably be on a separate > thread with specific concerns raised. The professional ethics and standards are extremely relevant to this thread, because it's essential to understand what assurance a revised report provides. That is, it's incorrect to assume a revised report provides the same level of assurance as an original report, without understanding the professional standards and ethics involved. The absence of such standards and guidance, from ETSI, is further extremely relevant to understanding what levels of assurance the initial report provides, why an initial report may make mistakes, and what the implications are about an updated report. More importantly, much like delaying revocation, it *shouldn't* be an option. The notion of revising a report is apparently without consequence to ETSI, but is of significant impact to WebTrust, and that's an extremely relevant factor to this discussion. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
