Hello Ryan, my message was not meant as a response to your previous message but as a general contribution. I know that you have deepest knowledge around the different audit schemes. However, others on this list might be less familiar with audits. That’s why I thought it might be useful to provide some framing information from the auditors perspective, although knowing that you already had elaborated on some of the aspects.
I am not proposing that decisions should not be based on published non-conformities but I wanted to point out that decisions shall consider all the facts and should not be based purely on the number of non-conformities. As you said, just counting "bad" points without looking at the whole picture might set wrong incentives. Best regards Matthias Von: Ryan Sleevi <r...@sleevi.com> Gesendet: Mittwoch, 11. März 2020 19:18 Matthias, I took a lot of care to address precisely that concern, so I hope that message was not directed in response to me. If it was, then I think it highlights a fundamental misunderstanding of the concern. I think everything you said is consistent with the response I offered. I am would be far more deeply concerned with the auditor if they did not list such non-conformities, and took great care to try to highlight that the risk of penalizing based on number of non-conformities listed would simply encourage CAs to work with their auditors to hide things. However, the response a CA takes to address those non-conformities /is/ a critical evaluation of trust. Your response, while appreciated, runs the risk of suggesting we can't make a decision to not trust a CA without evidence of non-conformities, but if there is evidence of non-conformities, we shouldn't use that as evidence in a decision to not trust a CA. That's not really sustainable, nor is it in line with the purpose and goal of audits themselves, at least as practiced by Mozilla since the first version of the root policy. On Wed, Mar 11, 2020 at 11:45 AM Wiedenhorst, Matthias via dev-security-policy <mailto:dev-security-policy@lists.mozilla.org> wrote: Dear all, with regard to the findings listed in the different audit attestations, we would like to clarify that - all non-conformities have been resolved in a timely manner - the resolution has been audited by and proven to the certification body In addition, we would like to emphasise that a pure number of non-conformities is not per se an indication of pour quality of the TSP but more an indication of a thorough audit. Give the number of different CAs / services within the scope of the audit, the number of non-conformities appears to be not extraordinary high. Please also keep in mind, that according to the current agreement, audit attestations list all non-conformities, independent of their severity and status (resolved or not). We feel, that non-conformities should be evaluated individually and TSPs should not suffer to any penalties just because of the number of non-conformities revealed in the audit. ______________________________________________________________________________________________________________________ Sitz der Gesellschaft/Headquarter: TÜV Informationstechnik GmbH * Langemarckstr. 20 * 45141 Essen, Germany Registergericht/Register Court: Amtsgericht/Local Court Essen * HRB 11687 * USt.-IdNr./VAT No.: DE 176132277 * Steuer-Nr./Tax No.: 111/57062251 Geschäftsführung/Management Board: Dirk Kretzschmar TÜV NORD GROUP Expertise for your Success Please visit our website: www.tuv-nord.com<http://www.tuv-nord.com> Besuchen Sie unseren Internetauftritt: www.tuev-nord.de<http://www.tuev-nord.de> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
