[cabfpub] [EXTERNAL]Re: Voting has started on Ballot 214 - CAA Discovery CNAME Errata

Ryan Sleevi sleevi at google.com
Wed Sep 27 00:42:57 UTC 2017


On Wed, Sep 27, 2017 at 1:01 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> You are forgetting one important factor – the immediate translation of BRs
> enacted by Forum members into WebTrust/ETSI audit requirements (including
> Effective Dates) that are then applied to Forum members automatically.
>

Hi Kirk,

This wasn't forgotten - rather, it's not accurate :)


>
>
> WebTrust/ETSI take what we say as Holy Writ and then audit us to it.
>

Not quite. WebTrust and ETSI both audit members to Principles and Criteria
derived from the Baseline Requirements, using their professional judgement
to render an opinion on the matter as well as determining whether issues of
non-conformance are material to the findings. As you know from your
participation in the WebTrust Task Force discussions as Chair of the Forum,
and as a CA, you are fully aware that WebTrust and ETSI do not
comprehensively examine every individual aspect of the Baseline
Requirements, but rather require CAs to demonstrate controls reflective of
the principles and criteria.


> For this reason, *only* the Forum (which passes the BRs) can correct a
> bad ballot and “instruct” the WebTrust guys on what is, and what is not,
> non-compliance leading to an audit qualification.
>

This is also not correct, and has been repeatedly discussed in the Forum.
Please let me know if you'd like me to dig up the minuted discussions of
this.

The findings of the Forum serve as secondary input, along with the primary
input of the AICPA, with respect to the materiality of non-compliance to
the principles and criteria of trust service providers. In this respect,
the Forum serves much like browsers do, in providing input with respect to
industry consensus and 'best practices'


> Even if the WebTrust team is sympathetic to their CA clients and
> understand the problem, they generally don’t have discretion to ignore
> violations of the BRs.  No one else can fix the problem of a bad ballot for
> us – not the browsers, not the auditors themselves.  And most of us don’t
> want a qualified audit just because of an error in the drafting of a ballot
> that passes.
>

Luckily, the numerous factual inaccuracies in this render this argument
moot. I do hope you can follow up with Jeff, Don, and the rest of AICPA in
discussing your understanding of both the role and relationship of the
Forum. As has been discussed over the past two years - and in particular,
as browsers seek to better understand and appreciate the limits of audits
and the ability of CAs to have non-compliance while not having it as a
material finding, there is a degree of separation and independence from the
Forum that establishes both WebTrust and ETSI as independent assessment
criteria, informed by the discussions and decisions here, but neither bound
to them nor driven by them.


>
>
> In this way, the Forum is different from ISO and other standards bodies,
> as I don’t think ISO standards go directly to an audit organization for
> immediate application to ISO members.
>
>
>
> We appreciate Google granting permission in this case to violate the BRs,
> but that won’t have any impact on what the auditors do in interpreting and
> auditing us to the BRs as amended by Ballot 214.
>

That is correct. And it will always be so.


> That’s why it would be appropriate to include retroactivity clauses in
> remedial ballots, as I have suggested.
>

As explained above, this is operating on a significant misunderstanding of
the role and relationship of the Forum, and as such, your suggestion is not
only unnecessary, but actively detrimental to the relevance and respect of
the Forum. It is important to consistently and immediately highlight these
inaccuracies, lest the constant repetition of the suggestion lead it to
being adopted through exhaustion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170927/15ab0b3f/attachment-0003.html>


More information about the Public mailing list