PS: In the meantime, we will continue to verify auditor qualifications
as described here:
https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications
On 11/12/20 4:27 PM, Kathleen Wilson wrote:
> It is proposed in Issue #192
> <https://github.com/mozilla/pkipolicy/issues/192> that information about
> individual auditor's qualifications be provided--identity, competence,
> experience and independence. (For those interested as to this
independence
> requirement, Mozilla Policy v.1.0 required either disclosure of the
> auditor's compensation or the establishment that the auditor "is
bound by
> law, government regulation, and/or a professional code of ethics to
render
> an honest and objective judgement regarding the CA.")
I am very much in favor of increasing transparency about the
qualifications of the auditors providing audit statements for CAs in our
program. However, I think that we need to spend more time figuring out a
few things before adding such a requirement to our policy. Therefore, I
think we should add this to our list of things to spend some focused
time to figure out in early 2021, and move this item to the next version
of Mozilla’s root store policy.
Below are some of the questions we need to be able to answer before
adding this requirement to Mozilla's root store policy.
Please do NOT respond to these questions now. We will have future
discussions about this when we are ready.
- What information is needed and in what format to demonstrate each
individual auditor's qualifications?
- What are the criteria to be considered and what is sufficient to be
considered a qualified auditor?
- How do auditors apply to be considered qualified auditors?
- How can new participants become involved in this space and become
qualified auditors?
- What is the process to determine if an auditor is qualified?
- Does every auditor signing their name or listed in an audit statement
need to be verified as a qualified auditor? Or just the lead auditor?
- How are the qualifications of the auditors communicated in conjunction
with the audit statement(s)?
- Who is responsible for verifying auditor qualifications?
- Who is responsible for maintaining the list of known qualified auditors?
- How do CAs find out if their auditors are qualified?
I look forward to having these discussions in full later, but I think
this effort is too large in scope for version 2.7.1 of Mozilla's Root
Store Policy.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
