Hi Ben, looking at what was suggested so far for section 3.2, it seems that the BR combine and summarize under "qualified" in the BR section 8.2 what you and Kathleen describe with the definitions for "competent" and "independent" parties.
Based upon that, MRSP section 3.2 could be structured in the following way: ***** 1st: definition of "competent party" ****** By "competent party" we mean... ***** 2nd: definition of "independency" ****** By "independent party" we mean... ***** 3rd: now refer to the BR summarizing 1 and 2 up in the term "qualified assessor/auditor" ***** By "qualified party" we mean a person or other entity or group of persons who meet *is meeting * the combination of the requirements defined above for a "competent party" and an "independent party" and as such meets *meeting * the requirements of section 8.2 of the Baseline Requirements. Further following that idea and syncing it with the wording also used by the BR, the current suggestion for MRSP section 3.2 could be revised/amended as follows: ***** 3.2 Auditors Mozilla requires that audits MUST be performed by a competent, independent and herewith qualified party. [...] By "competent party" we mean a person or other entity *group of persons* who has the proficiency and is authorized to perform audits according to the stated criteria (e.g., by the organization responsible for the criteria or by a relevant agency) and for whom is sufficient public information available to determine and evidence that the party is competent *has sufficient education, experience, and ability* to judge the CA’s conformance to the stated criteria. In the latter case, "Public information" referred to SHOULD *** -> SHALL - Why not being more strict here?*** include information regarding the party’s: - evidence of being bound by law, government regulation, or professional code of ethics; - knowledge of CA-related technical issues such as public key cryptography and related standards; - experience in performing security-related audits, evaluations, and risk analyses; and - honesty and objectivity *ability to deliver an opinion as to the CA’s compliance with applicable requirements*. [...] ***** Best regards Clemens _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy