Hello all: I want add my support for these inclusion considerations, these are excellent.
I had some thoughts about the auditors aspect. Perhaps one of the warning signs or troubling behaviour could be not rotating auditors. Granted that having the same group repeatedly visit will probably result in better audits over time, and in some jurisdictions there may not be a wealth of eligible auditors, it may still be worth spelling out that, where possible, not rotating after 5/10 years is considered a warning sign / troubling behaviour. Another thing that may be worth including as a troubling behaviour would be using an auditor that is not professionally licensed as an auditor in the jurisdiction. This may seem bizarre to spell out but it is the case that Webtrust had such an auditor on their list of approved practitioners. When I informed Webtrust about this, the auditor was unceremoniously removed as a practitioner soon after and when I received a reply there was no explanation as to why the auditor was removed. That is, I do not know if it was a result of my disclosure or the timing was a coincidence, e.g., the auditor left voluntarily or its membership expired. I was also not given an answer to whether being a professionally licensed auditor is a requirement for Webtrust---but it can be made a requirement for Mozilla CAs. If it is a requirement for Webtrust, there is evidence that it is not enforced, because the auditor did audit a CA's operations under the auspices of Webtrust during the time which it was not a licensed auditing firm. Joel -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/857a5b40-68d6-4bbd-b5a3-1db68cff46e6n%40mozilla.org.
