> It is proposed in Issue #192
> <https://github.com/mozilla/pkipolicy/issues/192> that information about
> individual auditor's qualifications be provided--identity, competence,
> experience and independence. (For those interested as to this independence
> requirement, Mozilla Policy v.1.0 required either disclosure of the
> auditor's compensation or the establishment that the auditor "is bound by
> law, government regulation, and/or a professional code of ethics to render
> an honest and objective judgement regarding the CA.")


I am very much in favor of increasing transparency about the qualifications of the auditors providing audit statements for CAs in our program. However, I think that we need to spend more time figuring out a few things before adding such a requirement to our policy. Therefore, I think we should add this to our list of things to spend some focused time to figure out in early 2021, and move this item to the next version of Mozilla’s root store policy.

Below are some of the questions we need to be able to answer before adding this requirement to Mozilla's root store policy.

Please do NOT respond to these questions now. We will have future discussions about this when we are ready.

- What information is needed and in what format to demonstrate each individual auditor's qualifications? - What are the criteria to be considered and what is sufficient to be considered a qualified auditor?
- How do auditors apply to be considered qualified auditors?
- How can new participants become involved in this space and become qualified auditors?
- What is the process to determine if an auditor is qualified?
- Does every auditor signing their name or listed in an audit statement need to be verified as a qualified auditor? Or just the lead auditor? - How are the qualifications of the auditors communicated in conjunction with the audit statement(s)?
- Who is responsible for verifying auditor qualifications?
- Who is responsible for maintaining the list of known qualified auditors?
- How do CAs find out if their auditors are qualified?

I look forward to having these discussions in full later, but I think this effort is too large in scope for version 2.7.1 of Mozilla's Root Store Policy.

Thanks,
Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to