On Friday, February 17, 2017 at 10:19:06 PM UTC-5, Ryan Sleevi wrote: > On Fri, Feb 17, 2017 at 5:17 PM, urijah--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On Friday, February 17, 2017 at 7:50:31 PM UTC-5, uri...@gmail.com wrote: > > > On Friday, February 17, 2017 at 7:23:54 PM UTC-5, Ryan Sleevi wrote: > > > > I have confirmed with CPA > > > > Canada that at during the 2016 and 2017 periods, EY Brazil was not a > > > > licensed WebTrust practitioner, as indicated at [4]. > > > > > > > > [4] > > > > http://www.webtrust.org/licensed-webtrust-practitioners-international/ > > item64419.aspx > > > > > > > > > The footnote at the above makes that a little hard to understand-- > > > > > > "EY refers to a member firm of Ernst & Young Global Limited. Through a > > license with Ernst & Young Global Limited all EY members are licensed to > > provide WebTrust for Certification Authorities services." > > > > Thanks for highlighting this. Indeed, while confirming the list was up to > date, I had missed the footnote. > > > > Additionally "Ernst Young Brazil" was listed as late as March 20, 2016 > > apparently. > > > > https://web-beta.archive.org/web/20160320161225/http://www. > > webtrust.org/licensed-webtrust-practitions-international/item64419.aspx > > > > > The audit was dated 2017/01/24, so the historic status would be irrelevant.
Sure. The strange thing to me (and possibly not relevant to this thread) is how both can be true--all E&Y members worldwide are licensed to do WebTrust audits, yet E&Y Brazil was taken *off* the WebTrust list in the latest update. I think http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx and https://web-beta.archive.org/web/20160320161225/http://www.webtrust.org/licensed-webtrust-practitions-international/item64419.aspx are possibly intended to be read differently. The old list giving specific named firms (or branches), by country (but saying it is a list of "global practitioners") the new list giving many fewer firms, but the country listing meaning...where they are active? If WebTrust revamped their approach to licensing, it might be good to know why/how and when. (And I don't see anywhere on their site where they discuss how they license auditors at all.) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
