Hi Kathleen Related to the below it would be helpful if the WebTrust organization would disclose additional details on the licensed WebTrust practitioners: right now there is no data publicly available on historical WebTrust auditor licensing. We don't know as of when an auditor has been licensed and as far as I am aware there is no overview of auditors that did not renew, withdrew or had their license revoked. Having such a list would certainly help CAs in the auditor selection process and better monitoring of auditor qualifications.
The Dutch NAB has an excellent inventory of their suspensions and withdrawals of accreditations: https://www.rva.nl/en/accredited-organisations/suspended-withdrawals. We think everyone would benefit from the WebTrust task force / CPA Canada maintaining a similar public inventory. Thanks Arvid > -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Kathleen Wilson via dev-security-policy > Sent: donderdag 4 juni 2020 1:21 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Verifying Auditor Qualifications > > All, > > It recently came to my attention that I need to be more diligent in verifying > auditor > qualifications. Therefore, we have added a field in the CCADB called “Date > Qualifications Verified” (on Auditor Location objects), which will be used to > remind > root store operators to check each auditor’s qualifications every year. This > field > can only be edited by a root store operator, and we will enter this date > whenever > we confirm that the auditor is still qualified to perform ETSI or WebTrust > audits. > > Some of you may notice that your Audit Case or Root Inclusion Case has the > message: “Auditor Verification Date is blank”. This warning message is > intended > to remind root store operators that we need to verify the auditor's > qualifications. In > the future you may also notice a warning message when the date in that field > is > over a year old, reminding us root store operators to re-verify the auditor's > qualifications. > > I will greatly appreciate your input on the following new wiki page section, > especially in regards to verifying auditor qualifications. > > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications > > Thanks, > Kathleen > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
