Hey Jeremy,
Huge thanks for raising this. Sadly, you’re about to be eaten by a grue [1]
Browsers have definitely had conversations with both WebTrust and ETSI on
this, and I recall some conversations to that effect during the CA/Browser
Forum F2F discussions.
One of the challenges is that ETSI and WebTrust are highly divergent in
this area, in that an ETSI audit is not based on Management’s Assertions in
the way that WebTrust is, but against a set of criteria (largely) CAs (via
ETSI) developed for themselves, in order to meet certain European legal
obligations.
To date, the policy has left it flexible for that reason. Instead, we’ve
tried to work very closely to explain the concerns to both WebTrust and to
ETSI. To address these concerns, the WebTrust TF went back and examined
their relevant professional obligations (e.g. under ISAE 3000 or AICPA’s
AT-C standards) and developed illustrative reports that WebTrust-licensed
auditors could use to opine on and disclose other relevant matters, such as
incidents. While it’s certainly true that the WebTrust TF does not
presently place an obligation on the auditor to disclose these matters,
either via the (“externally” maintained) aforementioned professional
standards or via the (TF-maintained) audit criteria, a competent and
capable auditor should be familiar both with the illustrative reports and
the policy requirements of the relevant report recipients. CAs contracting
with their auditors can certainly ensure that the auditor understands the
requirements placed upon the CA by its report recipients, and thus ensure
the auditor will disclose information they are professionally empowered to
disclose, and as demonstrated via the illustrative report.
There are several subtle differences in the implications of the reporting,
as to whether it’s disclosed via Management’s Assertion or disclosed as
other findings, and much more stark differences with respect to ETSI
reporting, so I’m not sure a one-size-fits-all approach works here. That
said, I absolutely entirely welcome any and all additional disclosures that
are made by CAs in their management letters, and that’s something commonly
discussed with WebTrust in trying to find angles for formalizing various
reporting and disclosure.
This community is wholly open, so perhaps the best thing CAs can do is
ensure their auditors actively follow, and perhaps even engage with, this
community. We’ve definitely had folks from the audit community involved and
seeking insight and input (without violating their professional obligations
re: confidentiality or their professional opinion forming requirements), so
perhaps it’s worth making sure your auditor does or commits to do so. I
know Scott Perry was one of the original firms involved here, before the
CPA licensing, as they were recognized by Mozilla as a competent auditor
independent from Mozilla when they first proposed becoming an auditor many
years ago (15+?) Perhaps they should revisit and be more closely following?
I realize that answer is a bit “No, but yes, but no” - but it’s exactly the
sort of discussion worth having, and it’s been a conversations browsers
have been having for years now with the auditors, in trying to address
auditor quality control issues. Hopefully, some of the auditors, and
particularly the WTTF members who I do know lurk here, may want to chime
in, especially if I’ve botched any of the summarization :)
[1]
http://mentalfloss.com/article/29885/eaten-grue-brief-history-zork