On Thursday, February 11, 2021 at 12:41:44 PM UTC-6, Ben Wilson wrote: > All, > > I've modified the proposed change to MRSP section 3.2 so that it would now > insert a middle paragraph that would read: > > "A Qualified Auditor MUST have relevant IT Security experience, or have > audited a number of CAs, and be independent and not conflicted. Individuals > have competence, partnerships and corporations do not. Each Audit Report > MUST be accompanied by documentation provided to Mozilla of individual > auditor qualifications sufficient for Mozilla to determine the competence, > experience, and independence of the Qualified Auditor." > > See > https://github.com/BenWilson-Mozilla/pkipolicy/commit/57063dc07f5b753184c94dbf5d0d30d0b9b90789 > > > The basis for further interpretation of the above language would still be > section 8.2 of the Baseline Requirements. ("In normal circumstances, > Mozilla requires that audits MUST be performed by a Qualified Auditor, as > defined in the Baseline Requirements section 8.2"). > > Section 3.1.4 still remains with a proposed subsection 3 - "name(s) and > qualifications of individuals performing the audit, as required by section > 3.2." > > I anticipate that additional guidance for how CAs should submit this > information will be made available here on the wiki - > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications. > > <https://github.com/BenWilson-Mozilla/pkipolicy/commit/57063dc07f5b753184c94dbf5d0d30d0b9b90789> > > Ben > On Thu, Jan 28, 2021 at 2:10 PM Ryan Sleevi <ry...@sleevi.com> wrote: > > > > > On Thu, Jan 28, 2021 at 3:05 PM Ben Wilson <bwi...@mozilla.com> wrote: > > > >> Thanks. My current thinking is that we can leave the MRSP "as is" and > >> that we write up what we want in > >> https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, > >> which is, as you note, information about members of the audit team and how > >> individual members meet #2, #3, and #6. > >> > > > > Is this intended as a temporary fix until the issue is meaningfully > > addressed? Or are you seeing this as a long-term resolution of the issue? > > > > I thought the goal was to make the policy clearer on the expectations, and > > my worry is that it would be creating more work for you and Kathleen, and > > the broader community, because it puts the onus on you to chase down CAs to > > provide the demonstration because they didn't pay attention to it in the > > policy. This was the complaint previously raised about "CA Problematic > > Practices" and things that are forbidden, so I'm not sure I understand the > > distinction/benefit here from moving it out? > > > > I think the relevance to MRSP is trying to clarify whether Mozilla thinks > > of auditors as individuals (as it originally did), or whether it thinks of > > auditors as organizations. I think that if MRSP was clarified regarding > > that, then the path you're proposing may work (at the risk of creating more > > work for y'all to request that CAs provide the information that they're > > required to provide, but didn't know that). > > > > If the issue you're trying to solve is one about whether it's in the audit > > letter vs communicated to Mozilla, then I think it should be possible to > > achieve that within the MRSP and explicitly say that (i.e. not require it > > in the audit letter, but still requiring it). > > > > Just trying to make sure I'm not overlooking or misunderstanding your > > concerns there :) > > > >> I wanted to clarify a couple of points. Firms must be independent to do audit/assurance work. If independence is impaired, for example, by one person in the firm performing management functions, the entire firm is no longer independent. Firms have the responsibility to monitor activities of its professionals, which also includes personal investments, to ensure they remain independent.
Also, WebTrust practitioners provide information on the firm and the professionals used on these engagements. The information provided is closely aligned with the Auditor Qualifications you are describing. As you know, CPA Canada provides a listing of qualified audit firms on its website. Working closely with them could also help in instances where auditor qualifications are in question. And one last item, thank you for hearing us on the listing of auditors performing the engagement. The only place I am aware that lists the audit partner in a comparable world is the signing audit partner on public company audits in the US, which is available on the SEC website. Other than that, I am not aware of any other team member being listed. We have seen listings of team members and related experience summarized on a non-publicly issued letter to management in the US Federal space. Hope this helps! Jeff _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
