The problem that we ran into over the past year is that there can be business or other reasons that impact when a company like CPA Canada will enter into agreements (or end agreements) with other companies. So, while our desire is to require auditors to be either members of ACAB'c or listed on the CPA Canada website, there may be business reasons not related to CAs/PKI for which such relationships cannot be established or continued. We also learned over the past year that an auditor can be removed from such membership/list after they have already started or even finished the audit of the CA for that year, even when that auditor has been on the list for several previous years and has not done anything to warrant being removed.
Maybe we can replace the "SHOULD" with "MUST (unless written permission is granted by Mozilla)"... I'm not a fan of that type of wording, but at least it would be stronger than the "SHOULD", and would still enable us to handle certain situations that we have been running into without having to grant exceptions to written policy. I would also prefer to say "prior written permission", but we ran into situations in which the audits and audit statements had already been completed before the auditor was removed from the membership/list (to no fault of their own). So the text could become: "ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter template on the [ACAB'c website](https://www.acab-c.com/downloads), and ETSI auditors MUST (unless written permission is granted by Mozilla) be listed as [CAB-members on the ACAB'c website](https://www.acab-c.com/members/). WebTrust audit statements MUST follow the practitioner guidance, principles, and illustrative assurance reports on the [CPA Canada website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), and MUST (unless written permission is granted by Mozilla) be listed as an enrolled WebTrust practitioner on the [CPA Canada website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." Kathleen On Tuesday, April 5, 2022 at 6:21:10 AM UTC-7 Ryan Sleevi wrote: > Ben: > > As a whole, this change seems a significant step backwards, in that it > removes the requirement for both WebTrust licensee and ACAB'c membership. > There doesn't seem to be any explanation for this change, and your reply on > Feb 3 seemed to support. > > In short, it's unclear how this addresses > https://github.com/mozilla/pkipolicy/issues/219 - it seems to do quite > the opposite. > > Maybe if we take a step back from your precise wording changes: What's the > end state you'd like to accomplish? It seems this does the opposite of > what's on the bug, and if that's intended, it might be useful to have some > rationale and discussion on that. > > On Mon, Apr 4, 2022 at 11:59 AM Ben Wilson <[email protected]> wrote: > >> Please see language proposed to address Issue #219 here: >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048 >> . >> >> On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson <[email protected]> wrote: >> >>> Adriano, >>> >>> Right now, we're considering the following language: >>> >>> "ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter >>> template on the [ACAB'c website](https://www.acab-c.com/downloads), and >>> ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website]( >>> https://www.acab-c.com/members/). WebTrust audit statements >>> MUST follow the practitioner guidance, principles, and illustrative >>> assurance reports on the [CPA Canada website]( >>> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), >>> >>> and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA >>> Canada website]( >>> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." >>> >>> >>> >>> Thanks, >>> >>> Ben >>> >>> On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via >>> [email protected] <[email protected]> wrote: >>> >>>> It is not clear to me whether a decision has been made on this matter. >>>> Would Mozilla please clarify? If this new requirement were introduced >>>> in the MRSP with immediate effect, it would cause non trivial >>>> organizational problems for the CAs that are nearing their next audit >>>> cycle. >>>> >>>> Adriano >>>> >>>> ACTALIS S.p.A. >>>> >>>> >>>> Il 03/02/2022 23:31, Ben Wilson ha scritto: >>>> >>>> Regarding "Relying on a non-official source for accreditation >>>> information has its own risks that should be taken seriously." - That >>>> isn't how it works - in the third column over on >>>> https://www.acab-c.com/members/, the link is to the official source, >>>> which is what we review. >>>> >>>> On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek < >>>>> [email protected]> wrote: >>>>> >>>>>> Ben, >>>>>> >>>>>> >>>>>> >>>>>> The policy requirements should be structured to match the policy >>>>>> goals. You have mentioned two important ones, which I agree with. The >>>>>> first can be solved by requiring the use of ACAB’c templates. The >>>>>> second >>>>>> points to a legitimate issue that the NABs/CABs need to solve. Relying >>>>>> on >>>>>> a non-official source for accreditation information has its own risks >>>>>> that >>>>>> should be taken seriously. >>>>>> >>>>> >>>>> Tim, >>>>> >>>>> I don't want to belabor this point, but you haven't highlighted if, >>>>> how, or why you believe WebTrust is different. WebTrust is >>>>> organizationally >>>>> and functionally the same as ACAB'c in this regard, as far as >>>>> professional >>>>> association goes. Do you believe WebTrust is only valid if the US or >>>>> Canadian governments recognize it - knowing full well they reject such >>>>> audits as being insufficient? >>>>> >>>>> This reply seems to demonstrate a fundamental misunderstanding about >>>>> the role of CABs/NABs, or that there is some value that is not yet >>>>> articulated. The burden of proof rests on you to demonstrate what this >>>>> value is - and what these risks are, that you believe should be taken >>>>> seriously. You have not yet done that. >>>>> >>>>> >>>>>> There’s also no guarantee that ACAB’C membership will be free in the >>>>>> future. Organizations change. ACAB’c could also adopt membership rules >>>>>> which some organizations are unable to comply with. >>>>>> >>>>> >>>>> Again, how is this functionally different from WebTrust, which charges >>>>> a licensing fee and which has restrictions on who can join? This is a >>>>> point >>>>> that goes back 20 years, in particular, during the discussion of Scott >>>>> Perry as an auditor who was *not* WebTrust licensed at the time and >>>>> not a CPA. I mention Scott as an example, because Scott S. Perry is who >>>>> DigiCert has used as their auditor (and which was recently acquired by >>>>> Shellman). >>>>> >>>>> The argument here does not establish why Mozilla should be concerned >>>>> about free or not. Similarly, the point that ACAB'c "could" do something >>>>> is >>>>> nothing more that unsubstantiated FUD, because it ignores the fact that >>>>> if >>>>> there was a negative development, Mozilla - or anyone else - could >>>>> respond >>>>> if necessary. >>>>> >>>>> As was pointed out internally, ACAB’C is a very small association of >>>>>> mostly French and German auditors, with very few members. As much as I >>>>>> appreciate their work on templates and other issues, I don’t think >>>>>> forcing >>>>>> people to join another organization is a good thing for organizations to >>>>>> do, no matter how well-intended it is. It takes away their agency, >>>>>> which >>>>>> will certainly put a damper on their desire to participate. >>>>>> >>>>> >>>>> This is the closest we've got to actually establishing the substance >>>>> of your objection, but it is entirely unclear what bearing it should have >>>>> on this discussion. By this logic, requiring WebTrust licensed auditors >>>>> is >>>>> an equally unacceptable imposition - do you agree or not? >>>>> >>>>> Is there some point you believe is being overlooked? This message is >>>>> full of conclusions, but lacks the logical footing necessary to reach >>>>> those >>>>> conclusions. If you think it's being misunderstood, please articulate. >>>>> >>>>> The fact that NABs/CABs have not solved this issue, that there has >>>>> been years of discussion with ETSI, and that fundamentally the >>>>> organizational goals of NABs/CABs is specifically to support that of >>>>> Supervisory Bodies, and is not aligned with browser needs, appears to be >>>>> entirely discarded here. There's zero reason to believe that continuing >>>>> on >>>>> the present course is somehow going to lead somewhere differently, other >>>>> than in the abstract ideal state. >>>>> >>>>> I don't disagree that there are arguments being made here, but their >>>>> arguments that are easily refuted, or which don't logically hold. I hope >>>>> I'm overlooking something. >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" >>>> <[email protected]> group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com >>>> >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it >>>> >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org.
