All, Some CAs have inquired about Mozilla's acceptance of WebTrust's temporary, 6-month seal related to COVID19 issues. See https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services
According to that WebTrust webpage, the temporary seal will be offered only in situations that meet the following criteria: - The practitioner report has been qualified, - The qualification is directly related to government-imposed COVID-19 scope restrictions only and is disclosed in the practitioner report, and - There are no qualifications due to control deficiencies in the period. It also states, "When a temporary seal has been granted, it is expected that a practitioner will be able to perform the procedures that could not be completed initially which gave rise to the scope limitation before the temporary seal expires. Where the practitioner is able to perform such procedures and is able to issue subsequently an unqualified report for the CA, the unqualified report could then be submitted to CPA Canada to obtain the traditional seal." For purposes of obtaining a timely audit, it appears that such a timely filed report would satisfy Mozilla Policy 3.1.3's annual audit filing requirements ( https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#313-audit-parameters) and therefore it would not be a "delay". For context see https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay and https://wiki.mozilla.org/CA/Audit_Statements#WebTrust_Audits. <https://wiki.mozilla.org/CA/Audit_Statements#WebTrust_Audits> So as further guidance on the above page, I am proposing clarification that the Temporary WebTrust Seal for COVID-19-related qualified reports does not require the CA to file an Incident Report, but rather that we will create a CA Compliance bug in Bugzilla simply to track the expiration of the temporary seal. Thanks, Ben Wilson Mozilla Root Store Manager <https://wiki.mozilla.org/CA/Audit_Statements#Audit_Delay> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy