I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be members of ACAB'c.
See draft language here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 "ETSI auditors SHOULD be members of the [Accredited Conformity Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be [enrolled in the WebTrust program][WebTrust link]." On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov <[email protected]> wrote: > With all due respect to ACAB-c, currently the term CAB means a > proffesional accredited by NAB. > > I'd suggest to consult with the legal department if the proposed > requirement comply with Article 11 ( Freedom of assembly and association) > of European Convention on Human Rights: > > 1. Everyone has the right to freedom of peaceful assembly and to > freedom of association with others, including the right to form and to join > trade unions for the protection of his interests. > > 2. No restrictions shall be placed on the exercise of these rights > other than such as are prescribed by law and are necessary in a democratic > society in the interests of national security or public safety, for the > prevention of disorder or crime, for the protection of health or morals or > for the protection of the rights and freedoms of others. This Article shall > not prevent the imposition of lawful restrictions on the exercise of these > rights by members of the armed forces, of the police or of the > administration of the State. > > Thanks, > M.D. > > On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: > >> All, >> >> This email starts discussion of whether ETSI auditors should be required >> to be members of the Accredited Conformity Assessment Bodies' Council >> (“ACAB’c” - https://www.acab-c.com/). >> >> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> for >> the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. >> (See https://github.com/mozilla/pkipolicy/labels/2.8) >> >> Mozilla continually seeks to improve the quality of CA audits. Therefore, >> we are considering a requirement that ETSI auditors be members of the >> ACAB’c, for which there is no cost to join. The ACAB’c has improved the >> consistency in how audit reports are provided to Mozilla, including how >> auditor qualifications are verified. (ACAB’c seeks “to harmonise the >> application of the conformity assessment requirements … with regard to the >> broader conformity assessment community and in partnership with the main >> stakeholders of the area, such as [the] CA/Browser Forum ….” Members of >> the ACAB’c further undertake to meet “the minimum report content for … >> Browsers Manufacturers”. (Code of Conduct, found at >> https://www.acab-c.com/terms-conditions-and-policies/.) Not only has >> ACAB’c maintained a Mozilla-compliant audit attestation letter template, >> but it has also provided guidance about what auditors are supposed to >> check, and it has taken other steps to keep audits current with Mozilla and >> CA/Browser Forum requirements. >> >> >> From an audit quality standpoint, membership in the ACAB'c is necessary >> for any auditor using ETSI criteria to review CAs that issue publicly >> trusted server certificates, and therefore, ACAB'c membership should be a >> requirement stated in the MRSP. >> >> >> Please provide your responses and comments in this thread. Thanks. >> >> >> Sincerely, >> >> >> Ben Wilson >> >> Mozilla Root Store Program >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com.
