On Tuesday, November 3, 2020 at 5:53:52 PM UTC-6, Ben Wilson wrote:
> Historically, Mozilla Policy required that CAs "provide attestation of 
> their conformance to the stated verification requirements and other 
> operational criteria by a competent independent party or parties with 
> access to details of the CA's internal operations." 
> https://wiki.mozilla.org/CA:CertificatePolicyV1.0 "Competency" was "for 
> whom there is sufficient public information available to determine that the 
> party is competent to judge the CA's conformance to the stated criteria. In 
> the latter case the 'public information' referred to should include 
> information regarding the party's: 
> 
> - knowledge of CA-related technical issues such as public key 
> cryptography and related standards; 
> - experience in performing security-related audits, evaluations, or risk 
> analyses; *and* 
> - honesty and objectivity." 
> 
> Today, section 3.2 of the MRSP 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#32-auditors>
>  
> states, "In normal circumstances, Mozilla requires that audits MUST be 
> performed by a Qualified Auditor, as defined in the Baseline Requirements 
> section 8.2," but under section 2.3 
> <https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#23-baseline-requirements-conformance>,
>  
> "Mozilla reserves the right to accept audits by auditors who do not meet 
> the qualifications given in section 8.2 of the Baseline Requirements, or 
> refuse audits from auditors who do." 
> 
> Section 8.2 of the Baseline Requirements states an auditor must have: 
> 1. Independence from the subject of the audit; 
> 2. The ability to conduct an audit that addresses the criteria specified in 
> an Eligible Audit Scheme (see Section 8.1); 
> 3. Employs individuals who have proficiency in examining Public Key 
> Infrastructure technology, information security tools and techniques, 
> information technology and security auditing, and the third-party 
> attestation function; 
> 4. (For audits conducted in accordance with any one of the ETSI standards) 
> accredited in accordance with ISO 17065 applying the requirements specified 
> in ETSI EN 319 403; 
> 5. (For audits conducted in accordance with the WebTrust standard) licensed 
> by WebTrust; 
> 6. Bound by law, government regulation, or professional code of ethics; and 
> 7. Except in the case of an Internal Government Auditing Agency, maintains 
> Professional Liability/Errors & Omissions insurance with policy limits of 
> at least one million US dollars in coverage 
> 
> It is proposed in Issue #192 
> <https://github.com/mozilla/pkipolicy/issues/192> that information about 
> individual auditor's qualifications be provided--identity, competence, 
> experience and independence. (For those interested as to this independence 
> requirement, Mozilla Policy v.1.0 required either disclosure of the 
> auditor's compensation or the establishment that the auditor "is bound by 
> law, government regulation, and/or a professional code of ethics to render 
> an honest and objective judgement regarding the CA.") 
> 
> While subsection 3 of BR 8.2 requires "individuals who have proficiency in 
> examining Public Key Infrastructure technology, information security tools 
> and techniques, information technology and security auditing, and the 
> third-party attestation function," that fact needs evidence in order to be 
> established. The proposed resolution of this Issue #192 intends to 
> accomplish that. 
> 
> This proposal to require disclosure of individual auditor qualifications is 
> very similar to the approach adopted by the U.S. Federal PKI 
> <https://www.idmanagement.gov/wp-content/uploads/sites/1171/uploads/fpki-annual-review-requirements.pdf>
>  
> (see Appendices B-1 and C). E.g., "Did each Audit Opinion Letter identify 
> the auditor and the individuals performing the audit?" In practice, the 
> information about auditor qualifications could be in the form of a separate 
> document, such as a curriculum vitae. 
> 
> Some initial, draft language to address this issue is located here: 
> https://github.com/BenWilson-Mozilla/pkipolicy/commit/d0da7cb2b6db38e66c3a72e5c1db0e78e91d8df6
>  
> 
> A new subsection 3. would be added to the list of audit requirements that 
> would require "[the] name(s) and qualifications of individuals performing 
> the audit, as required by section 3.2" and a new paragrpah would be added 
> to section 3.2 that would say, "A Qualified Auditor MUST have relevant IT 
> Security experience, or have audited a number of CAs, and be independent 
> and not conflicted. Individuals have competence, partnerships and 
> corporations do not. Audit documentation of individual auditor 
> qualifications MUST be provided to Mozilla that is sufficient for Mozilla 
> to determine the competence, experience, and independence of the Qualified 
> Auditor. Mozilla will review each individual auditor’s credentials and 
> ensure that any Qualified Auditor has the collective set of skills required 
> by section 8.2 of the Baseline Requirements." 
> 
> Please provide your comments and suggestions in response to this email. 
> 
> Thanks, 
> 
> Ben

Thanks Ben.  Perhaps it would be helpful to provide context to how CPA Canada 
evaluates auditor qualifications.  CPA Canada assesses a WebTrust 
practitioner’s qualifications both on an annual basis, and upon each WebTrust 
engagement being performed.  The annual renewal process includes listing 
individual auditors’ qualifications and any other relevant information about 
the firm that changed since the previous renewal.  CPA Canada also requires 
similar information for each engagement performed and reviews it prior to 
issuing any WebTrust seal.  CPA Canada posts on its website a listing of firms 
that are deemed qualified to perform WebTrust engagements based on this 
process, but the details are not made public.  

Audit reports, whether for WebTrust, financial statements, or other forms of 
engagement reports providing assurance to users of the information, do not 
include specific audit team members’ names.  Simply stated, this desire to 
include individual auditor’s qualifications in a public report is not 
consistent with any other compliance reporting methods or reporting 
requirements for CAs, or any other auditee for that matter.  

Perhaps there is a way to have a communication protocol established with CPA 
Canada to identify those firms known to be deficient in technical competency 
that the community could use in evaluating the worthiness of an audit opinion 
when circumstances warrant.  If that is something that has merit, a discussion 
with CPA Canada directly would be the next step to explore this option to 
provide the user community the information they desire.   

Thanks,

Jeff
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to