All, This email starts discussion of whether ETSI auditors should be required to be members of the Accredited Conformity Assessment Bodies' Council (“ACAB’c” - https://www.acab-c.com/).
This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) Mozilla continually seeks to improve the quality of CA audits. Therefore, we are considering a requirement that ETSI auditors be members of the ACAB’c, for which there is no cost to join. The ACAB’c has improved the consistency in how audit reports are provided to Mozilla, including how auditor qualifications are verified. (ACAB’c seeks “to harmonise the application of the conformity assessment requirements … with regard to the broader conformity assessment community and in partnership with the main stakeholders of the area, such as [the] CA/Browser Forum ….” Members of the ACAB’c further undertake to meet “the minimum report content for … Browsers Manufacturers”. (Code of Conduct, found at https://www.acab-c.com/terms-conditions-and-policies/.) Not only has ACAB’c maintained a Mozilla-compliant audit attestation letter template, but it has also provided guidance about what auditors are supposed to check, and it has taken other steps to keep audits current with Mozilla and CA/Browser Forum requirements. >From an audit quality standpoint, membership in the ACAB'c is necessary for any auditor using ETSI criteria to review CAs that issue publicly trusted server certificates, and therefore, ACAB'c membership should be a requirement stated in the MRSP. Please provide your responses and comments in this thread. Thanks. Sincerely, Ben Wilson Mozilla Root Store Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com.
