[cabfpub] Auditability of EV 1.4 and other CABF Guidelines

Sheehy, Don (CA - Toronto) dosheehy at deloitte.ca
Tue Nov 13 14:38:23 UTC 2012

Gerv- I think you have misunderstood. The issue that I pointed out was we just needed to "freeze" a version to allow for consistent auditing. WebTrust EV was based on EV 1.3 - you can always look at the web site to say " there were the control and operational requirements" . When EV 1.4 ( developed in May) pointed to controls that were approved for use in July and then changed again in September the ability to perform the audit under 1.4 is  more difficult (since the measuring stick continues to move, although the EV version remains the same) . All I asked for is that, in the future, the EV guidelines become whole in their own right again to facilitate audit and not refer to guidelines that will change in the future before 1.6 is developed ( creating a number of versions that each can have audit ramifications). When the new EV std 1.5 approved, we will create WebTrust EV 1.5. We cannot change audit standards on a weekly basis - all need to go through due process. 

In the past, as you remember, EV did not create a new version that incorporated all of the weekly proposed changes until the vote was taken on a new revised version. This is what we based our audit revision on, in agreement with in Forum.

It does not matter when CA/B approves a standard as long as it can be frozen at that requirement until there are changes that are so significant that a formal revised version is again needed and approved. 

Donald E. Sheehy, CA·CISA, CRISC, CIPP/C 
Partner | Enterprise Risk 

-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Monday, November 12, 2012 5:27 AM
To: ben at digicert.com
Cc: public at cabforum.org
Subject: Re: [cabfpub] Auditability of EV 1.4 and other CABF Guidelines

On 09/11/12 23:12, Ben Wilson wrote:
> Thanks, Don.  I’m just thinking out loud here, but what if we were to 
> start working toward a two-session model for ballots and effective 
> dates?

I wonder whether that would slow down our already not-stellar pace of improvements.

How about if we instead instituted a proper revision-numbering scheme, with major, minor and patchlevel numbering? In that world, why does changing the EV Guidelines and the BRs cause a problem for WebTrust and ETSI? We could coordinate with them over where a good point for them to "freeze" was, and then they would go into a round of updates saying "We want to make our audit standards match EV 1.4.54 and BR 1.1.17". This would take as long as it takes, and once it was completed, when they felt the need, they could do a new round to make them match EV 1.5.2 and BR 1.3.27. And so on.

Public mailing list
Public at cabforum.org

Confidentiality Warning: This message and any attachments are
intended only for the use of the intended recipient(s), are
confidential, and may be privileged. If you are not the intended
recipient, you are hereby notified that any review, retransmission,
conversion to hard copy, copying, circulation or other use of this
message and any attachments is strictly prohibited. If you are not
the intended recipient, please notify the sender immediately by
return e-mail, and delete this message and any attachments from
your system. Thank you.	

More information about the Public mailing list