Just trying to see how harmonized the auditor requirements for variuose regional systems (e.g. North American vs European) are.
If CPA Canada is like a NAB in Europe, then what would be an analog for ACAB? Thanks, M.D. On Tue, Apr 5, 2022, 19:19 Kathleen Wilson <[email protected]> wrote: > The problem that we ran into over the past year is that there can be > business or other reasons that impact when a company like CPA Canada will > enter into agreements (or end agreements) with other companies. So, while > our desire is to require auditors to be either members of ACAB'c or listed > on the CPA Canada website, there may be business reasons not related to > CAs/PKI for which such relationships cannot be established or continued. We > also learned over the past year that an auditor can be removed from such > membership/list after they have already started or even finished the audit > of the CA for that year, even when that auditor has been on the list for > several previous years and has not done anything to warrant being removed. > > Maybe we can replace the "SHOULD" with "MUST (unless written permission > is granted by Mozilla)"... > > I'm not a fan of that type of wording, but at least it would be stronger > than the "SHOULD", and would still enable us to handle certain situations > that we have been running into without having to grant exceptions to > written policy. > > I would also prefer to say "prior written permission", but we ran into > situations in which the audits and audit statements had already been > completed before the auditor was removed from the membership/list (to no > fault of their own). > > So the text could become: > > "ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter > template on the [ACAB'c website](https://www.acab-c.com/downloads), and > ETSI auditors MUST (unless written permission is granted by Mozilla) be > listed as [CAB-members on the ACAB'c website]( > https://www.acab-c.com/members/). WebTrust audit statements > MUST follow the practitioner guidance, principles, and illustrative > assurance reports on the [CPA Canada website]( > https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), > and MUST (unless written permission is granted by Mozilla) be listed as an > enrolled WebTrust practitioner on the [CPA Canada website]( > https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." > > > Kathleen > > > On Tuesday, April 5, 2022 at 6:21:10 AM UTC-7 Ryan Sleevi wrote: > >> Ben: >> >> As a whole, this change seems a significant step backwards, in that it >> removes the requirement for both WebTrust licensee and ACAB'c membership. >> There doesn't seem to be any explanation for this change, and your reply on >> Feb 3 seemed to support. >> >> In short, it's unclear how this addresses >> https://github.com/mozilla/pkipolicy/issues/219 - it seems to do quite >> the opposite. >> >> Maybe if we take a step back from your precise wording changes: What's >> the end state you'd like to accomplish? It seems this does the opposite of >> what's on the bug, and if that's intended, it might be useful to have some >> rationale and discussion on that. >> >> On Mon, Apr 4, 2022 at 11:59 AM Ben Wilson <[email protected]> wrote: >> >>> Please see language proposed to address Issue #219 here: >>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048 >>> . >>> >>> On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson <[email protected]> wrote: >>> >>>> Adriano, >>>> >>>> Right now, we're considering the following language: >>>> >>>> "ETSI Audit Attestation Letters MUST follow the Audit Attestation >>>> Letter template on the [ACAB'c website]( >>>> https://www.acab-c.com/downloads), and >>>> ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website]( >>>> https://www.acab-c.com/members/). WebTrust audit statements >>>> MUST follow the practitioner guidance, principles, and illustrative >>>> assurance reports on the [CPA Canada website]( >>>> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), >>>> and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA >>>> Canada website]( >>>> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." >>>> >>>> >>>> Thanks, >>>> >>>> Ben >>>> >>>> On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via >>>> [email protected] <[email protected]> >>>> wrote: >>>> >>>>> It is not clear to me whether a decision has been made on this matter. >>>>> Would Mozilla please clarify? If this new requirement were introduced >>>>> in the MRSP with immediate effect, it would cause non trivial >>>>> organizational problems for the CAs that are nearing their next audit >>>>> cycle. >>>>> >>>>> Adriano >>>>> >>>>> ACTALIS S.p.A. >>>>> >>>>> >>>>> Il 03/02/2022 23:31, Ben Wilson ha scritto: >>>>> >>>>> Regarding "Relying on a non-official source for accreditation >>>>> information has its own risks that should be taken seriously." - That >>>>> isn't how it works - in the third column over on >>>>> https://www.acab-c.com/members/, the link is to the official source, >>>>> which is what we review. >>>>> >>>>> On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Ben, >>>>>>> >>>>>>> >>>>>>> >>>>>>> The policy requirements should be structured to match the policy >>>>>>> goals. You have mentioned two important ones, which I agree with. The >>>>>>> first can be solved by requiring the use of ACAB’c templates. The >>>>>>> second >>>>>>> points to a legitimate issue that the NABs/CABs need to solve. Relying >>>>>>> on >>>>>>> a non-official source for accreditation information has its own risks >>>>>>> that >>>>>>> should be taken seriously. >>>>>>> >>>>>> >>>>>> Tim, >>>>>> >>>>>> I don't want to belabor this point, but you haven't highlighted if, >>>>>> how, or why you believe WebTrust is different. WebTrust is >>>>>> organizationally >>>>>> and functionally the same as ACAB'c in this regard, as far as >>>>>> professional >>>>>> association goes. Do you believe WebTrust is only valid if the US or >>>>>> Canadian governments recognize it - knowing full well they reject such >>>>>> audits as being insufficient? >>>>>> >>>>>> This reply seems to demonstrate a fundamental misunderstanding about >>>>>> the role of CABs/NABs, or that there is some value that is not yet >>>>>> articulated. The burden of proof rests on you to demonstrate what this >>>>>> value is - and what these risks are, that you believe should be taken >>>>>> seriously. You have not yet done that. >>>>>> >>>>>> >>>>>>> There’s also no guarantee that ACAB’C membership will be free in the >>>>>>> future. Organizations change. ACAB’c could also adopt membership rules >>>>>>> which some organizations are unable to comply with. >>>>>>> >>>>>> >>>>>> Again, how is this functionally different from WebTrust, which >>>>>> charges a licensing fee and which has restrictions on who can join? This >>>>>> is >>>>>> a point that goes back 20 years, in particular, during the discussion of >>>>>> Scott Perry as an auditor who was *not* WebTrust licensed at the >>>>>> time and not a CPA. I mention Scott as an example, because Scott S. Perry >>>>>> is who DigiCert has used as their auditor (and which was recently >>>>>> acquired >>>>>> by Shellman). >>>>>> >>>>>> The argument here does not establish why Mozilla should be concerned >>>>>> about free or not. Similarly, the point that ACAB'c "could" do something >>>>>> is >>>>>> nothing more that unsubstantiated FUD, because it ignores the fact that >>>>>> if >>>>>> there was a negative development, Mozilla - or anyone else - could >>>>>> respond >>>>>> if necessary. >>>>>> >>>>>> As was pointed out internally, ACAB’C is a very small association of >>>>>>> mostly French and German auditors, with very few members. As much as I >>>>>>> appreciate their work on templates and other issues, I don’t think >>>>>>> forcing >>>>>>> people to join another organization is a good thing for organizations to >>>>>>> do, no matter how well-intended it is. It takes away their agency, >>>>>>> which >>>>>>> will certainly put a damper on their desire to participate. >>>>>>> >>>>>> >>>>>> This is the closest we've got to actually establishing the substance >>>>>> of your objection, but it is entirely unclear what bearing it should have >>>>>> on this discussion. By this logic, requiring WebTrust licensed auditors >>>>>> is >>>>>> an equally unacceptable imposition - do you agree or not? >>>>>> >>>>>> Is there some point you believe is being overlooked? This message is >>>>>> full of conclusions, but lacks the logical footing necessary to reach >>>>>> those >>>>>> conclusions. If you think it's being misunderstood, please articulate. >>>>>> >>>>>> The fact that NABs/CABs have not solved this issue, that there has >>>>>> been years of discussion with ETSI, and that fundamentally the >>>>>> organizational goals of NABs/CABs is specifically to support that of >>>>>> Supervisory Bodies, and is not aligned with browser needs, appears to be >>>>>> entirely discarded here. There's zero reason to believe that continuing >>>>>> on >>>>>> the present course is somehow going to lead somewhere differently, other >>>>>> than in the abstract ideal state. >>>>>> >>>>>> I don't disagree that there are arguments being made here, but their >>>>>> arguments that are easily refuted, or which don't logically hold. I hope >>>>>> I'm overlooking something. >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" >>>>> <[email protected]> group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwjMMrKz7%3DT3m7M%3Dpi41qsNiHB8DzAD%2BRQ7%2By%2B7UEteKg%40mail.gmail.com.
