Re: Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, As discussed previously, here is a draft amendment to the Audit Statements wiki page for your review and comment: https://wiki.mozilla.org/CA/Audit_Statements#Providing_Auditor_Qualifications Sincerely yours, Ben ___ dev-security-policy mailing list

AW: Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

rz 2021 00:31 An: mozilla-dev-security-policy Betreff: EXT: Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report All, Kathleen and I discussed the language of this proposal and have modified it for MRSP section 3.2 as follows: "A Qu

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, Kathleen and I discussed the language of this proposal and have modified it for MRSP section 3.2 as follows: "A Qualified Auditor MUST have relevant IT Security experience, or have audited a number of CAs, and be independent. Each Audit Report MUST be accompanied by documentation provided to

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, I have edited the proposed resolution of Issue #192 as follows: Subsection 3 of MRSP Section 3.1.4. would read: "The publicly-available documentation relating to each audit MUST contain at

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 3:07:12 PM UTC-8, Jeff Ward wrote: > On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > > Apologies for belaboring the point, but I think we might be talking past > > eachother. > > > > You originally stated “The only place I am aware that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Mon, Feb 15, 2021 at 6:07 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan, I hope you are not suggesting I am dodging you points. That would > be absurd. Let me use different words as comparable world seems to be > tripping you up. I'm not trying

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > Apologies for belaboring the point, but I think we might be talking past > eachother. > > You originally stated “The only place I am aware that lists the audit > partner in a comparable world is the signing audit partner on

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Apologies for belaboring the point, but I think we might be talking past eachother. You originally stated “The only place I am aware that lists the audit partner in a comparable world is the signing audit partner on public company audits in the US, which is available on the SEC website.” I gave

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 1:57:11 PM UTC-6, Ryan Sleevi wrote: > On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > I wanted to clarify a couple of points. Firms must be independent to do > > audit/assurance work. If

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I wanted to clarify a couple of points. Firms must be independent to do > audit/assurance work. If independence is impaired, for example, by one > person in the firm performing

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thursday, February 11, 2021 at 12:41:44 PM UTC-6, Ben Wilson wrote: > All, > > I've modified the proposed change to MRSP section 3.2 so that it would now > insert a middle paragraph that would read: > > "A Qualified Auditor MUST have relevant IT Security experience, or have > audited a

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

All, I've modified the proposed change to MRSP section 3.2 so that it would now insert a middle paragraph that would read: "A Qualified Auditor MUST have relevant IT Security experience, or have audited a number of CAs, and be independent and not conflicted. Individuals have competence,

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Jan 28, 2021 at 3:05 PM Ben Wilson wrote: > Thanks. My current thinking is that we can leave the MRSP "as is" and > that we write up what we want in > https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, > which is, as you note, information about members of the audit

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Thanks. My current thinking is that we can leave the MRSP "as is" and that we write up what we want in https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications, which is, as you note, information about members of the audit team and how individual members meet #2, #3, and #6. On

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Jan 28, 2021 at 1:43 PM Ben Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On second thought, I think that Mozilla can accomplish what we want without > modifying the MRSP > < >

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On second thought, I think that Mozilla can accomplish what we want without modifying the MRSP (which says audits MUST be performed by a Qualified Auditor, as defined in the Baseline Requirements

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Thanks, Clemens. I'll take a look. Also, apparently my redlining was lost when my message was saved to the newsgroup. I'll see if I can re-post without the text formatting of strikeouts and underlines. On Tue, Jan 26, 2021 at 10:24 AM Clemens Wanko via dev-security-policy <

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Ben, looking at what was suggested so far for section 3.2, it seems that the BR combine and summarize under "qualified" in the BR section 8.2 what you and Kathleen describe with the definitions for "competent" and "independent" parties. Based upon that, MRSP section 3.2 could be structured

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Here is my attempt to reword section 3.2 based on combining MRSP version 2.4.1 with version 2.7. My approach was to align the concepts of "competent", "independent" and "qualified" with their more-accepted meanings. Version 2.4.1 and earlier versions of the Mozilla Root Store Policy mixed some of

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On 11/13/20 1:43 PM, Ryan Sleevi wrote: In this regard, the principles from Mozilla's 1.0 Certificate Policy provide a small minimum, along with some of the language from, say, the FPKI, regarding technical competencies. The basis here is simply for the auditor to *disclose* why they believe

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Nov 12, 2020 at 7:27 PM Kathleen Wilson via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I am very much in favor of increasing transparency about the > qualifications of the auditors providing audit statements for CAs in our > program. However, I think that we

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

PS: In the meantime, we will continue to verify auditor qualifications as described here: https://wiki.mozilla.org/CA/Audit_Statements#Auditor_Qualifications On 11/12/20 4:27 PM, Kathleen Wilson wrote: > It is proposed in Issue #192 > that

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

> It is proposed in Issue #192 > that information about > individual auditor's qualifications be provided--identity, competence, > experience and independence. (For those interested as to this independence > requirement, Mozilla Policy v.1.0

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Mon, Nov 9, 2020 at 11:53 AM Clemens Wanko via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, hi all, > well, isn’t the point to make here just, that there are multiple ways to > ensure proper auditor qualification? No matter which way you like to go > however,

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Thank you Ben, this is really helpful. Dimitris. On 2020-11-09 6:52 μ.μ., Ben Wilson via dev-security-policy wrote: Hi Dimitris, I intend to introduce the remaining discussion topics over the next three weeks. I did not announce an end to the discussion period on purpose, so that we can have

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Ryan, hi all, well, isn’t the point to make here just, that there are multiple ways to ensure proper auditor qualification? No matter which way you like to go however, you must define the details of your regime: what is the criteria you require the auditor to fulfill, how do you organize

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Dimitris, I intend to introduce the remaining discussion topics over the next three weeks. I did not announce an end to the discussion period on purpose, so that we can have as full of a discussion as possible. Also, in the next three weeks, I intend to start summarizing the discussions and

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On 7/11/2020 3:12 μ.μ., Ryan Sleevi wrote: On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos mailto:ji...@it.auth.gr>> wrote: I will try to further explain my thoughts on this. As we all know, according to Mozilla Policy "CAs MUST follow and be aware of discussions in the

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Saturday, November 7, 2020 at 10:36:58 AM UTC-6, Ryan Sleevi wrote: > On Sat, Nov 7, 2020 at 9:21 AM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Sure Ryan, the answer is quite simple. When I used the word "public" in > > my post, I should have been

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Sat, Nov 7, 2020 at 9:21 AM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sure Ryan, the answer is quite simple. When I used the word "public" in > my post, I should have been more clear as to the nuance of this concept. > Public reports by definition are

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Friday, November 6, 2020 at 1:13:43 PM UTC-6, Ryan Sleevi wrote: > On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Audit reports, whether for WebTrust, financial statements, or other forms > > of engagement reports providing

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Sat, Nov 7, 2020 at 4:52 AM Dimitris Zacharopoulos wrote: > > I will try to further explain my thoughts on this. As we all know, > according to Mozilla Policy "CAs MUST follow and be aware of discussions in > the mozilla.dev.security.policy >

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

I will try to further explain my thoughts on this. As we all know, according to Mozilla Policy "CAs MUST follow and be aware of discussions in the mozilla.dev.security.policy forum, where Mozilla's root program is coordinated". I

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Fri, Nov 6, 2020 at 6:08 PM Dimitris Zacharopoulos via dev-security-policy wrote: > Can other people, except Ryan, follow this thread? I certainly can't. Too > much information, too much text, too many assumptions, makes it impossible > to meaningfully participate in the discussion. These

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Can other people, except Ryan, follow this thread? I certainly can't. Too much information, too much text, too many assumptions, makes it impossible to meaningfully participate in the discussion. ___ dev-security-policy mailing list

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On 2020-11-06 18:31, Jeff Ward wrote: > ... Audit reports, whether for WebTrust, financial statements, or other forms of engagement reports providing assurance to users of the information, do not include specific audit team members’ names. Simply stated, this desire to include individual

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Fri, Nov 6, 2020 at 12:00 PM Clemens Wanko via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Hi Ryan, hi all, > three things to comment on that: > > 1. How is the EU ETSI audit scheme thought and what is it intended to > provide to Mozilla and the CA/Browser

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Audit reports, whether for WebTrust, financial statements, or other forms > of engagement reports providing assurance to users of the information, do > not include specific audit

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Tuesday, November 3, 2020 at 5:53:52 PM UTC-6, Ben Wilson wrote: > Historically, Mozilla Policy required that CAs "provide attestation of > their conformance to the stated verification requirements and other > operational criteria by a competent independent party or parties with > access to

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Ryan, hi all, three things to comment on that: 1. How is the EU ETSI audit scheme thought and what is it intended to provide to Mozilla and the CA/Browser ecosystem? The European scheme of technical standards for CA/TSP developed by ETSI was made and is constantly adopted to integrate

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Nov 5, 2020 at 7:00 PM Wojtek Porczyk wrote: > On Thu, Nov 05, 2020 at 11:48:20AM -0500, Ryan Sleevi via > dev-security-policy wrote: > > competency is with individuals, not organizations. > > [snip] > > > I find the appeal to redundancy and the NAB, and further, the suggestion > of > >

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thu, Nov 05, 2020 at 11:48:20AM -0500, Ryan Sleevi via dev-security-policy wrote: > competency is with individuals, not organizations. [snip] > I find the appeal to redundancy and the NAB, and further, the suggestion of > GDPR, to be a bit insulting to this community. This opposition to >

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

nal Message- > > From: dev-security-policy > On > > Behalf Of Ben Wilson via dev-security-policy > > Sent: Tuesday, November 3, 2020 6:53 PM > > To: Mozilla > > Subject: Policy 2.7.1: MRSP Issue #192: Require information about auditor > > qualificati

RE: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

f Ben Wilson via dev-security-policy > Sent: Tuesday, November 3, 2020 6:53 PM > To: Mozilla > Subject: Policy 2.7.1: MRSP Issue #192: Require information about auditor > qualifications in the audit report > > Historically, Mozilla Policy required that CAs "provide attestati

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Clemens, I think this fundamentally misunderstands the proposal. As Ben mentioned, and as countless other schemes have highlighted, competency is with individuals, not organizations. While the eIDAS Scheme is relevant for eIDAS qualification, I think it's important to highlight that browsers

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Hi Ben, in order to avoid for every single audit the compilation work for the auditor (in person) on his qualification, independence, etc. as well as the need to crosscheck the statements he made, that was covered for the EU ETSI/eIDAS scheme by the accreditation of the body (organization;

Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

Historically, Mozilla Policy required that CAs "provide attestation of their conformance to the stated verification requirements and other operational criteria by a competent independent party or parties with access to details of the CA's internal operations."