Does it make sense to check if the surrogate QESC issuer is audited by an ACAB-C member?
Thanks, M.D. On Wed, Jan 26, 2022, 20:37 Ben Wilson <[email protected]> wrote: > I agree that a "MUST" is better. Does anyone have a stronger case for > making it a "SHOULD"? > > On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]> wrote: > >> It would seem better for Mozilla users if it was a MUST. A SHOULD is an >> interesting starting point, but I’m not sure it does anything to help >> members of the community here, and there don’t seem to be clear arguments >> against it. >> > >> The benefit, of course, is attempting to ensure better consistency and >> aligning with the needs of Mozilla, which accredited CABs alone are not >> necessarily qualified nor incentivized to do, but at least ACAB-c has been >> willing to try. >> >> On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]> wrote: >> >>> I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be >>> members of ACAB'c. >>> >>> See draft language here: >>> >>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 >>> >>> "ETSI auditors SHOULD be members of the [Accredited Conformity >>> Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be >>> [enrolled >>> in the WebTrust program][WebTrust link]." >>> >>> On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov < >>> [email protected]> wrote: >>> >>>> With all due respect to ACAB-c, currently the term CAB means a >>>> proffesional accredited by NAB. >>>> >>>> I'd suggest to consult with the legal department if the proposed >>>> requirement comply with Article 11 ( Freedom of assembly and association) >>>> of European Convention on Human Rights: >>>> >>>> 1. Everyone has the right to freedom of peaceful assembly and >>>> to freedom of association with others, including the right to form and to >>>> join trade unions for the protection of his interests. >>>> >>>> 2. No restrictions shall be placed on the exercise of these rights >>>> other than such as are prescribed by law and are necessary in a democratic >>>> society in the interests of national security or public safety, for the >>>> prevention of disorder or crime, for the protection of health or morals or >>>> for the protection of the rights and freedoms of others. This Article shall >>>> not prevent the imposition of lawful restrictions on the exercise of these >>>> rights by members of the armed forces, of the police or of the >>>> administration of the State. >>>> >>>> Thanks, >>>> M.D. >>>> >>>> On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: >>>> >>>>> All, >>>>> >>>>> This email starts discussion of whether ETSI auditors should be >>>>> required to be members of the Accredited Conformity Assessment >>>>> Bodies' Council (“ACAB’c” - https://www.acab-c.com/). >>>>> >>>>> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> >>>>> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in >>>>> 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >>>>> >>>>> Mozilla continually seeks to improve the quality of CA audits. >>>>> Therefore, we are considering a requirement that ETSI auditors be members >>>>> of the ACAB’c, for which there is no cost to join. The ACAB’c has >>>>> improved the consistency in how audit reports are provided to Mozilla, >>>>> including how auditor qualifications are verified. (ACAB’c seeks “to >>>>> harmonise the application of the conformity assessment requirements … with >>>>> regard to the broader conformity assessment community and in partnership >>>>> with the main stakeholders of the area, such as [the] CA/Browser Forum ….” >>>>> Members of the ACAB’c further undertake to meet “the minimum report >>>>> content for … Browsers Manufacturers”. (Code of Conduct, found at >>>>> https://www.acab-c.com/terms-conditions-and-policies/.) Not only has >>>>> ACAB’c maintained a Mozilla-compliant audit attestation letter template, >>>>> but it has also provided guidance about what auditors are supposed to >>>>> check, and it has taken other steps to keep audits current with Mozilla >>>>> and >>>>> CA/Browser Forum requirements. >>>>> >>>>> >>>>> From an audit quality standpoint, membership in the ACAB'c is >>>>> necessary for any auditor using ETSI criteria to review CAs that issue >>>>> publicly trusted server certificates, and therefore, ACAB'c membership >>>>> should be a requirement stated in the MRSP. >>>>> >>>>> >>>>> Please provide your responses and comments in this thread. Thanks. >>>>> >>>>> >>>>> Sincerely, >>>>> >>>>> >>>>> Ben Wilson >>>>> >>>>> Mozilla Root Store Program >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRryx5AL4jK3hkMtrQiCC%2B%3DXqnbVWb%3DXzXNYcxf5YQVv5Hw%40mail.gmail.com.
