[cabfpub] [EXTERNAL]Re: Voting has started on Ballot 214 - CAA Discovery CNAME Errata

Ryan Sleevi sleevi at google.com
Thu Sep 28 00:20:36 UTC 2017


On Thu, Sep 28, 2017 at 3:11 AM, Kirk Hall <Kirk.Hall at entrustdatacard.com>
wrote:

> Eric – root program decisions (such as excusing compliance with something)
> do not affect the auditors application of BR requirements through the BR
> WebTrust audit.
>

>
> The auditors generally must follow what the BRs say, as incorporated in
> their audit standards.  (After all, we have only gotten permission to
> violate the BRs from three browsers, but there are other browsers and
> applications that require full BR compliance to remain in their root
> program.)
>
>
>
> That is why the best way to avoid possible audit failure on this issue is
> to further amend the BRs to what we all want them to say, effective as of
> Sept. 8, 2017.
>

Kirk,

Changes to the Baseline Requirements do not directly change WebTrust or
ETSI. So your proposed solution for the problem you see (which is not an
accurate understanding of the problem) does not work.

If the BRs are changed, it must still be incorporated into the WebTrust or
ETSI criteria. If the BRs change, but the audit criteria are not, auditors
are still bound to the criteria - and while they can use the changes in the
BR to inform their opinions as secondary sources, they are primarily bound
by ethical and professional obligations to evaluate the criteria and
principles.

This has been a regular topic for discussion in the Forum with respect to
imposing new requirements. I am surprised to hear you expressing concern,
given that it is addressed directly or indirectly in nearly every WebTrust
update. It may simply be that the connection between the updates Don and
Jeff provide with respect to updated criteria, how audits are conducted,
and how the Forum operates hasn't been made, but if that's the case, we
should try to solve for that problem first, so that you can see that the
concerns you have are unfounded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20170928/11ef10be/attachment-0003.html>


More information about the Public mailing list