Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

On Saturday, March 7, 2020 at 8:24:57 AM UTC-6, Ryan Sleevi wrote: > On Fri, Mar 6, 2020 at 9:03 PM jwardcpa--- via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > Great follow on questions Ryan. As far as the detailed report, whether > > the end product is in the

Re: Welcome Ben Wilson to Mozilla!

On Monday, April 13, 2020 at 12:07:40 PM UTC-5, Kathleen Wilson wrote: > All, > > I am pleased to announce that Ben Wilson has joined Mozilla as a CA > Program Manager! > > Ben has worked in PKI security, compliance, and policy since 1998. > Previously, he worked at DigiCert in various roles,

Re: Auditing of CA facilities in lockdown because of an environmental disaster/pandemic

On Friday, March 20, 2020 at 3:55:08 PM UTC-5, Ryan Sleevi wrote: > On Fri, Mar 20, 2020 at 4:07 PM Kathleen Wilson via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > My question: What should "location" mean in the above requirement? > > > > The WebTrust Practitioner

Re: Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

On Sunday, January 3, 2021 at 8:38:05 AM UTC-6, Jeff Ward wrote: > On Tuesday, December 15, 2020 at 2:41:10 PM UTC-6, Ben Wilson wrote: > > All, > > > > This email is part of the discussion for the next version of the Mozilla > > Root Store Policy (MSRP), version 2.7.1, to be published during

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Saturday, November 7, 2020 at 10:36:58 AM UTC-6, Ryan Sleevi wrote: > On Sat, Nov 7, 2020 at 9:21 AM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Sure Ryan, the answer is quite simple. When I used the word "public" in

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Friday, November 6, 2020 at 1:13:43 PM UTC-6, Ryan Sleevi wrote: > On Fri, Nov 6, 2020 at 12:31 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > Audit reports, whether for WebTrust, financial statements, or other forms > > of e

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Tuesday, November 3, 2020 at 5:53:52 PM UTC-6, Ben Wilson wrote: > Historically, Mozilla Policy required that CAs "provide attestation of > their conformance to the stated verification requirements and other > operational criteria by a competent independent party or parties with > access to

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

On Thursday, October 22, 2020 at 1:53:40 PM UTC-5, Ben Wilson wrote: > The purpose of this email is to begin public discussion on the addition of > a subsection 11 to section 3.1.4 of the Mozilla Root Store Policy. Issue > #187 in GitHub proposes

Re: Policy 2.7.1: MRSP Issue #207: Require audit statements to provide information about which CA Locations were audited

On Tuesday, December 15, 2020 at 2:41:10 PM UTC-6, Ben Wilson wrote: > All, > > This email is part of the discussion for the next version of the Mozilla > Root Store Policy (MSRP), version 2.7.1, to be published during of Q1-2021. > > For audit delays, we currently require that audit

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Thursday, February 11, 2021 at 12:41:44 PM UTC-6, Ben Wilson wrote: > All, > > I've modified the proposed change to MRSP section 3.2 so that it would now > insert a middle paragraph that would read: > > "A Qualified Auditor MUST have relevant IT Security experience, or have > audited a

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 1:57:11 PM UTC-6, Ryan Sleevi wrote: > On Mon, Feb 15, 2021 at 2:03 PM Jeff Ward via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > I wanted to clarify a couple of points. Firms must be independent to do >

Re: Policy 2.7.1: MRSP Issue #192: Require information about auditor qualifications in the audit report

On Monday, February 15, 2021 at 4:11:15 PM UTC-6, Ryan Sleevi wrote: > Apologies for belaboring the point, but I think we might be talking past > eachother. > > You originally stated “The only place I am aware that lists the audit > partner in a comparable world is the signing audit partner on

Re: Policy 2.7.1: MRSP Issue #187: Require disclosure of incidents in Audit Reports

On Friday, February 12, 2021 at 10:27:11 AM UTC-6, Ben Wilson wrote: > I'm fine with that suggestion. > On Fri, Feb 12, 2021 at 5:06 AM malcol...--- via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > On Thursday, 11 February 2021 at 21:14:13 UTC, Ben Wilson wrote: > > >