Re: Temporary WebTrust Seal for COVID Issues

[Jakob Bohm via dev-security-policy]

On 2020-08-20 20:34, Ben Wilson wrote:

All,

Some CAs have inquired about Mozilla's acceptance of WebTrust's temporary,
6-month seal related to COVID19 issues.
See
https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services

According to that WebTrust webpage, the temporary seal will be offered only
in situations that meet the following criteria:

- The practitioner report has been qualified,
- The qualification is directly related to government-imposed COVID-19
scope restrictions only and is disclosed in the practitioner report, and
- There are no qualifications due to control deficiencies in the period.

It also states, "When a temporary seal has been granted, it is expected
that a practitioner will be able to perform the procedures that could not
be completed initially which gave rise to the scope limitation before the
temporary seal expires. Where the practitioner is able to perform such
procedures and is able to issue subsequently an unqualified report for the
CA, the unqualified report could then be submitted to CPA Canada to obtain
the traditional seal."

For purposes of obtaining a timely audit, it appears that such a timely
filed report would satisfy Mozilla Policy 3.1.3's annual audit filing
requirements (
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#313-audit-parameters)
and therefore it would not be a "delay".  For context see
https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay
and https://wiki.mozilla.org/CA/Audit_Statements#WebTrust_Audits.


So as further guidance on the above page, I am proposing clarification that
the Temporary WebTrust Seal for COVID-19-related qualified reports does not
require the CA to file an Incident Report, but rather that we will create a
CA Compliance bug in Bugzilla simply to track the expiration of the
temporary seal.



As a relying party (end user of Mozilla products that use the root
store), I appreciate this, however I have a suggested simplification:

Simply mark the (early) expiry date of the temporary seal in the CCADB,
such that the usual audit-renewal procedures will trigger at the
appropriate time.

This obviously presumes that there are CCADB to mark an audit reports as
having a shorter-than-one-year validity, as public discussions in this
group have frequently mentioned 3-month audits in specific cases.

Besides, as this crisis is expected to last closer to a full year than
6 months, one must wonder if auditors would have to inspect CA
facilities wearing full disposable hazmat suits to avoid transporting
the virus between redundant backup CA offices that have been kept
separate to ensure CA operations continue even if every person at one
office become critically ill.


Thanks,
Ben Wilson
Mozilla Root Store Manager





Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Temporary WebTrust Seal for COVID Issues

[awa...--- via dev-security-policy]

Ben, thank you for the detailed update. Your proposed guidance is pragmatic and 
reasonable. I'm sure many CAs appreciate the clarity.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy