Where would the surrogate QESC issuer apply? For S/MIME? On Wed, Jan 26, 2022 at 1:57 PM Moudrick Dadashov <[email protected]> wrote:
> Does it make sense to check if the surrogate QESC issuer is audited by an > ACAB-C member? > > Thanks, > M.D. > > On Wed, Jan 26, 2022, 20:37 Ben Wilson <[email protected]> wrote: > >> I agree that a "MUST" is better. Does anyone have a stronger case for >> making it a "SHOULD"? >> >> On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]> wrote: >> >>> It would seem better for Mozilla users if it was a MUST. A SHOULD is an >>> interesting starting point, but I’m not sure it does anything to help >>> members of the community here, and there don’t seem to be clear arguments >>> against it. >>> >> >>> The benefit, of course, is attempting to ensure better consistency and >>> aligning with the needs of Mozilla, which accredited CABs alone are not >>> necessarily qualified nor incentivized to do, but at least ACAB-c has been >>> willing to try. >>> >>> On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]> wrote: >>> >>>> I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be >>>> members of ACAB'c. >>>> >>>> See draft language here: >>>> >>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 >>>> >>>> "ETSI auditors SHOULD be members of the [Accredited Conformity >>>> Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be >>>> [enrolled >>>> in the WebTrust program][WebTrust link]." >>>> >>>> On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov < >>>> [email protected]> wrote: >>>> >>>>> With all due respect to ACAB-c, currently the term CAB means a >>>>> proffesional accredited by NAB. >>>>> >>>>> I'd suggest to consult with the legal department if the proposed >>>>> requirement comply with Article 11 ( Freedom of assembly and association) >>>>> of European Convention on Human Rights: >>>>> >>>>> 1. Everyone has the right to freedom of peaceful assembly >>>>> and to freedom of association with others, including the right to form and >>>>> to join trade unions for the protection of his interests. >>>>> >>>>> 2. No restrictions shall be placed on the exercise of these rights >>>>> other than such as are prescribed by law and are necessary in a democratic >>>>> society in the interests of national security or public safety, for the >>>>> prevention of disorder or crime, for the protection of health or morals or >>>>> for the protection of the rights and freedoms of others. This Article >>>>> shall >>>>> not prevent the imposition of lawful restrictions on the exercise of >>>>> these >>>>> rights by members of the armed forces, of the police or of the >>>>> administration of the State. >>>>> >>>>> Thanks, >>>>> M.D. >>>>> >>>>> On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: >>>>> >>>>>> All, >>>>>> >>>>>> This email starts discussion of whether ETSI auditors should be >>>>>> required to be members of the Accredited Conformity Assessment >>>>>> Bodies' Council (“ACAB’c” - https://www.acab-c.com/). >>>>>> >>>>>> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> >>>>>> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in >>>>>> 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >>>>>> >>>>>> Mozilla continually seeks to improve the quality of CA audits. >>>>>> Therefore, we are considering a requirement that ETSI auditors be members >>>>>> of the ACAB’c, for which there is no cost to join. The ACAB’c has >>>>>> improved the consistency in how audit reports are provided to Mozilla, >>>>>> including how auditor qualifications are verified. (ACAB’c seeks “to >>>>>> harmonise the application of the conformity assessment requirements … >>>>>> with >>>>>> regard to the broader conformity assessment community and in partnership >>>>>> with the main stakeholders of the area, such as [the] CA/Browser Forum >>>>>> ….” >>>>>> Members of the ACAB’c further undertake to meet “the minimum report >>>>>> content for … Browsers Manufacturers”. (Code of Conduct, found at >>>>>> https://www.acab-c.com/terms-conditions-and-policies/.) Not only has >>>>>> ACAB’c maintained a Mozilla-compliant audit attestation letter template, >>>>>> but it has also provided guidance about what auditors are supposed to >>>>>> check, and it has taken other steps to keep audits current with Mozilla >>>>>> and >>>>>> CA/Browser Forum requirements. >>>>>> >>>>>> >>>>>> From an audit quality standpoint, membership in the ACAB'c is >>>>>> necessary for any auditor using ETSI criteria to review CAs that issue >>>>>> publicly trusted server certificates, and therefore, ACAB'c membership >>>>>> should be a requirement stated in the MRSP. >>>>>> >>>>>> >>>>>> Please provide your responses and comments in this thread. Thanks. >>>>>> >>>>>> >>>>>> Sincerely, >>>>>> >>>>>> >>>>>> Ben Wilson >>>>>> >>>>>> Mozilla Root Store Program >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "[email protected]" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHHts53m8vrMmedFftJEJ1JiX-JOWTjq1aEjNaCW2qgC0A%40mail.gmail.com.
