Matthias, I took a lot of care to address precisely that concern, so I hope that message was not directed in response to me. If it was, then I think it highlights a fundamental misunderstanding of the concern.
I think everything you said is consistent with the response I offered. I am would be far more deeply concerned with the auditor if they did not list such non-conformities, and took great care to try to highlight that the risk of penalizing based on number of non-conformities listed would simply encourage CAs to work with their auditors to hide things. However, the response a CA takes to address those non-conformities /is/ a critical evaluation of trust. Your response, while appreciated, runs the risk of suggesting we can't make a decision to not trust a CA without evidence of non-conformities, but if there is evidence of non-conformities, we shouldn't use that as evidence in a decision to not trust a CA. That's not really sustainable, nor is it in line with the purpose and goal of audits themselves, at least as practiced by Mozilla since the first version of the root policy. On Wed, Mar 11, 2020 at 11:45 AM Wiedenhorst, Matthias via dev-security-policy <[email protected]> wrote: > Dear all, > > with regard to the findings listed in the different audit attestations, we > would like to clarify that > - all non-conformities have been resolved in a timely manner > - the resolution has been audited by and proven to the certification > body > > In addition, we would like to emphasise that a pure number of > non-conformities is not per se an indication of pour quality of the TSP but > more an indication of a thorough audit. Give the number of different CAs / > services within the scope of the audit, the number of non-conformities > appears to be not extraordinary high. > Please also keep in mind, that according to the current agreement, audit > attestations list all non-conformities, independent of their severity and > status (resolved or not). We feel, that non-conformities should be > evaluated individually and TSPs should not suffer to any penalties just > because of the number of non-conformities revealed in the audit. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
