Just trying to see how harmonized the auditor requirements for
variuose regional systems (e.g. North American vs European) are.
If CPA Canada is like a NAB in Europe, then what would be an analog
for ACAB?
Thanks,
M.D.
On Tue, Apr 5, 2022, 19:19 Kathleen Wilson <[email protected]> wrote:
The problem that we ran into over the past year is that there can
be business or other reasons that impact when a company like CPA
Canada will enter into agreements (or end agreements) with other
companies. So, while our desire is to require auditors to be
either members of ACAB'c or listed on the CPA Canada website,
there may be business reasons not related to CAs/PKI for which
such relationships cannot be established or continued. We also
learned over the past year that an auditor can be removed from
such membership/list after they have already started or even
finished the audit of the CA for that year, even when that auditor
has been on the list for several previous years and has not done
anything to warrant being removed.
Maybe we can replace the "SHOULD" with "MUST (unless written
permission is granted by Mozilla)"...
I'm not a fan of that type of wording, but at least it would be
stronger than the "SHOULD", and would still enable us to handle
certain situations that we have been running into without having
to grant exceptions to written policy.
I would also prefer to say "prior written permission", but we ran
into situations in which the audits and audit statements had
already been completed before the auditor was removed from the
membership/list (to no fault of their own).
So the text could become:
"ETSI Audit Attestation Letters MUST follow the Audit Attestation
Letter template on the [ACAB'c
website](https://www.acab-c.com/downloads), and
ETSI auditors MUST (unless written permission is granted by
Mozilla) be listed as [CAB-members on the ACAB'c
website](https://www.acab-c.com/members/). WebTrust audit statements
MUST follow the practitioner guidance, principles, and
illustrative assurance reports on the [CPA Canada
website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria),
and MUST (unless written permission is granted by Mozilla) be
listed as an enrolled WebTrust practitioner on the [CPA Canada
website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)."
Kathleen
On Tuesday, April 5, 2022 at 6:21:10 AM UTC-7 Ryan Sleevi wrote:
Ben:
As a whole, this change seems a significant step backwards, in
that it removes the requirement for both WebTrust licensee and
ACAB'c membership. There doesn't seem to be any explanation
for this change, and your reply on Feb 3 seemed to support.
In short, it's unclear how this addresses
https://github.com/mozilla/pkipolicy/issues/219 - it seems to
do quite the opposite.
Maybe if we take a step back from your precise wording
changes: What's the end state you'd like to accomplish? It
seems this does the opposite of what's on the bug, and if
that's intended, it might be useful to have some rationale and
discussion on that.
On Mon, Apr 4, 2022 at 11:59 AM Ben Wilson
<[email protected]> wrote:
Please see language proposed to address Issue #219 here:
https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048.
On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson
<[email protected]> wrote:
Adriano,
Right now, we're considering the following language:
"ETSI Audit Attestation Letters MUST follow the Audit
Attestation Letter template on the [ACAB'c
website](https://www.acab-c.com/downloads), and
ETSI auditors SHOULD be listed as [CAB-members on the
ACAB'c website](https://www.acab-c.com/members/).
WebTrust audit statements
MUST follow the practitioner guidance, principles, and
illustrative assurance reports on the [CPA Canada
website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria),
and SHOULD be listed as an enrolled WebTrust
practitioner on the [CPA Canada
website](https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)."
Thanks,
Ben
On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via
[email protected]
<[email protected]> wrote:
It is not clear to me whether a decision has been
made on this matter. Would Mozilla please clarify?
If this new requirement were introduced in the
MRSP with immediate effect, it would cause non
trivial organizational problems for the CAs that
are nearing their next audit cycle.
Adriano
ACTALIS S.p.A.
Il 03/02/2022 23:31, Ben Wilson ha scritto:
Regarding "Relying on a non-official source for
accreditation information has its own risks that
should be taken seriously." - That isn't how it
works - in the third column over on
https://www.acab-c.com/members/, the link is to
the official source, which is what we review.
On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi
<[email protected]> wrote:
On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek
<[email protected]> wrote:
Ben,
The policy requirements should be
structured to match the policy goals.
You have mentioned two important ones,
which I agree with. The first can be
solved by requiring the use of ACAB’c
templates. The second points to a
legitimate issue that the NABs/CABs need
to solve. Relying on a non-official
source for accreditation information has
its own risks that should be taken seriously.
Tim,
I don't want to belabor this point, but you
haven't highlighted if, how, or why you
believe WebTrust is different. WebTrust is
organizationally and functionally the same as
ACAB'c in this regard, as far as professional
association goes. Do you believe WebTrust is
only valid if the US or Canadian governments
recognize it - knowing full well they reject
such audits as being insufficient?
This reply seems to demonstrate a fundamental
misunderstanding about the role of CABs/NABs,
or that there is some value that is not yet
articulated. The burden of proof rests on you
to demonstrate what this value is - and what
these risks are, that you believe should be
taken seriously. You have not yet done that.
There’s also no guarantee that ACAB’C
membership will be free in the future.
Organizations change. ACAB’c could also
adopt membership rules which some
organizations are unable to comply with.
Again, how is this functionally different
from WebTrust, which charges a licensing fee
and which has restrictions on who can join?
This is a point that goes back 20 years, in
particular, during the discussion of Scott
Perry as an auditor who was /not/ WebTrust
licensed at the time and not a CPA. I mention
Scott as an example, because Scott S. Perry
is who DigiCert has used as their auditor
(and which was recently acquired by Shellman).
The argument here does not establish why
Mozilla should be concerned about free or
not. Similarly, the point that ACAB'c "could"
do something is nothing more that
unsubstantiated FUD, because it ignores the
fact that if there was a negative
development, Mozilla - or anyone else - could
respond if necessary.
As was pointed out internally, ACAB’C is
a very small association of mostly French
and German auditors, with very few
members. As much as I appreciate their
work on templates and other issues, I
don’t think forcing people to join
another organization is a good thing for
organizations to do, no matter how
well-intended it is. It takes away their
agency, which will certainly put a damper
on their desire to participate.
This is the closest we've got to actually
establishing the substance of your objection,
but it is entirely unclear what bearing it
should have on this discussion. By this
logic, requiring WebTrust licensed auditors
is an equally unacceptable imposition - do
you agree or not?
Is there some point you believe is being
overlooked? This message is full of
conclusions, but lacks the logical footing
necessary to reach those conclusions. If you
think it's being misunderstood, please
articulate.
The fact that NABs/CABs have not solved this
issue, that there has been years of
discussion with ETSI, and that fundamentally
the organizational goals of NABs/CABs is
specifically to support that of Supervisory
Bodies, and is not aligned with browser
needs, appears to be entirely discarded here.
There's zero reason to believe that
continuing on the present course is somehow
going to lead somewhere differently, other
than in the abstract ideal state.
I don't disagree that there are arguments
being made here, but their arguments that are
easily refuted, or which don't logically
hold. I hope I'm overlooking something.
--
You received this message because you are
subscribed to the Google Groups
"[email protected]"
<mailto:[email protected]> group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving
emails from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to
the Google Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails
from it, send an email to
[email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it,
send an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f4a08f2-a967-4b0c-84a0-215b2c9c87afn%40mozilla.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwjMMrKz7%3DT3m7M%3Dpi41qsNiHB8DzAD%2BRQ7%2By%2B7UEteKg%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrwjMMrKz7%3DT3m7M%3Dpi41qsNiHB8DzAD%2BRQ7%2By%2B7UEteKg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
