I agree that a "MUST" is better. Does anyone have a stronger case for making it a "SHOULD"?
On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]> wrote: > It would seem better for Mozilla users if it was a MUST. A SHOULD is an > interesting starting point, but I’m not sure it does anything to help > members of the community here, and there don’t seem to be clear arguments > against it. > > The benefit, of course, is attempting to ensure better consistency and > aligning with the needs of Mozilla, which accredited CABs alone are not > necessarily qualified nor incentivized to do, but at least ACAB-c has been > willing to try. > > On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]> wrote: > >> I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be >> members of ACAB'c. >> >> See draft language here: >> >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 >> >> "ETSI auditors SHOULD be members of the [Accredited Conformity >> Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be >> [enrolled >> in the WebTrust program][WebTrust link]." >> >> On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov <[email protected]> >> wrote: >> >>> With all due respect to ACAB-c, currently the term CAB means a >>> proffesional accredited by NAB. >>> >>> I'd suggest to consult with the legal department if the proposed >>> requirement comply with Article 11 ( Freedom of assembly and association) >>> of European Convention on Human Rights: >>> >>> 1. Everyone has the right to freedom of peaceful assembly and >>> to freedom of association with others, including the right to form and to >>> join trade unions for the protection of his interests. >>> >>> 2. No restrictions shall be placed on the exercise of these rights >>> other than such as are prescribed by law and are necessary in a democratic >>> society in the interests of national security or public safety, for the >>> prevention of disorder or crime, for the protection of health or morals or >>> for the protection of the rights and freedoms of others. This Article shall >>> not prevent the imposition of lawful restrictions on the exercise of these >>> rights by members of the armed forces, of the police or of the >>> administration of the State. >>> >>> Thanks, >>> M.D. >>> >>> On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: >>> >>>> All, >>>> >>>> This email starts discussion of whether ETSI auditors should be >>>> required to be members of the Accredited Conformity Assessment Bodies' >>>> Council (“ACAB’c” - https://www.acab-c.com/). >>>> >>>> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> >>>> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in >>>> 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >>>> >>>> Mozilla continually seeks to improve the quality of CA audits. >>>> Therefore, we are considering a requirement that ETSI auditors be members >>>> of the ACAB’c, for which there is no cost to join. The ACAB’c has >>>> improved the consistency in how audit reports are provided to Mozilla, >>>> including how auditor qualifications are verified. (ACAB’c seeks “to >>>> harmonise the application of the conformity assessment requirements … with >>>> regard to the broader conformity assessment community and in partnership >>>> with the main stakeholders of the area, such as [the] CA/Browser Forum ….” >>>> Members of the ACAB’c further undertake to meet “the minimum report >>>> content for … Browsers Manufacturers”. (Code of Conduct, found at >>>> https://www.acab-c.com/terms-conditions-and-policies/.) Not only has >>>> ACAB’c maintained a Mozilla-compliant audit attestation letter template, >>>> but it has also provided guidance about what auditors are supposed to >>>> check, and it has taken other steps to keep audits current with Mozilla and >>>> CA/Browser Forum requirements. >>>> >>>> >>>> From an audit quality standpoint, membership in the ACAB'c is necessary >>>> for any auditor using ETSI criteria to review CAs that issue publicly >>>> trusted server certificates, and therefore, ACAB'c membership should be a >>>> requirement stated in the MRSP. >>>> >>>> >>>> Please provide your responses and comments in this thread. Thanks. >>>> >>>> >>>> Sincerely, >>>> >>>> >>>> Ben Wilson >>>> >>>> Mozilla Root Store Program >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com.
