On Thu, Jan 6, 2022 at 1:18 AM Moudrick M. Dadashov <[email protected]> wrote:
> You asked if my comment was about Delegated Third Parties - sorry, no, I > had in mind the CA [1] and its RAs [] as defined in BRs. > I'm not sure I understand this. An RA is a DTP. > *Audit scope* > > *"**If my above understanding is correct, then I’m not fully sure your > argument here is correct. It’s certainly true that the RAs, which are DTPs, > need to be audited, but that doesn’t necessarily propagate to the scope of > the parent*." > > My comment was about Pekka's argument, which is quite typical to Telia > Company AB and its affiliates, that their corporate ownership relationship > is directly apllicable to the CA operations, I believe this is > fundamentally wrong. > I'm sorry, I'm still not sure I think I understand the substance of your argument here, and it does seem like you're ascribing a particular malice to Telia that appears to be unsubstantiated, at least at present. > The CA has a single audit report and I’m OK with that, but, as I quoted > earlier, the audit report says: > > "*Telia makes use of external registration authorities for subscriber > registration activities, as disclosed in Telia's business practices. Our > procedures did not extend to the controls excercised by these external > registration authorities."* > Correct, this part is difficult to square with Pekka's remarks that they were all part of the same audit scope, as the report does not appear to substantiate this. That is, the WebTrust Illustrative Guidance provides examples on how to disclose if no external RAs are involved, and that this seems to highlight a disconnect that bears some clarification, at the minimum. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGGmQ%2BAPpWEgPum%3DQ1TCM%3DYFq%2BBhS9u_KxmyPJLCyXzbA%40mail.gmail.com.
