Here is another Github commit making ACAB'c membership mandatory. Note: It also requires WebTrust practitioners to be "enrolled" by CPA Canada in the WebTrust for Certification Authorities program.
https://github.com/BenWilson-Mozilla/pkipolicy/commit/7df1bd3cb220d115540b850dae1df7f40794e290 On Wed, Jan 26, 2022 at 12:38 PM Ryan Sleevi <[email protected]> wrote: > Where would the surrogate QESC issuer apply? For S/MIME? > > On Wed, Jan 26, 2022 at 1:57 PM Moudrick Dadashov <[email protected]> > wrote: > >> Does it make sense to check if the surrogate QESC issuer is audited by an >> ACAB-C member? >> >> Thanks, >> M.D. >> >> On Wed, Jan 26, 2022, 20:37 Ben Wilson <[email protected]> wrote: >> >>> I agree that a "MUST" is better. Does anyone have a stronger case for >>> making it a "SHOULD"? >>> >>> On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]> wrote: >>> >>>> It would seem better for Mozilla users if it was a MUST. A SHOULD is an >>>> interesting starting point, but I’m not sure it does anything to help >>>> members of the community here, and there don’t seem to be clear arguments >>>> against it. >>>> >>> >>>> The benefit, of course, is attempting to ensure better consistency and >>>> aligning with the needs of Mozilla, which accredited CABs alone are not >>>> necessarily qualified nor incentivized to do, but at least ACAB-c has been >>>> willing to try. >>>> >>>> On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]> >>>> wrote: >>>> >>>>> I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be >>>>> members of ACAB'c. >>>>> >>>>> See draft language here: >>>>> >>>>> https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 >>>>> >>>>> "ETSI auditors SHOULD be members of the [Accredited Conformity >>>>> Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be >>>>> [enrolled >>>>> in the WebTrust program][WebTrust link]." >>>>> >>>>> On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov < >>>>> [email protected]> wrote: >>>>> >>>>>> With all due respect to ACAB-c, currently the term CAB means a >>>>>> proffesional accredited by NAB. >>>>>> >>>>>> I'd suggest to consult with the legal department if the proposed >>>>>> requirement comply with Article 11 ( Freedom of assembly and association) >>>>>> of European Convention on Human Rights: >>>>>> >>>>>> 1. Everyone has the right to freedom of peaceful assembly >>>>>> and to freedom of association with others, including the right to form >>>>>> and >>>>>> to join trade unions for the protection of his interests. >>>>>> >>>>>> 2. No restrictions shall be placed on the exercise of these rights >>>>>> other than such as are prescribed by law and are necessary in a >>>>>> democratic >>>>>> society in the interests of national security or public safety, for the >>>>>> prevention of disorder or crime, for the protection of health or morals >>>>>> or >>>>>> for the protection of the rights and freedoms of others. This Article >>>>>> shall >>>>>> not prevent the imposition of lawful restrictions on the exercise of >>>>>> these >>>>>> rights by members of the armed forces, of the police or of the >>>>>> administration of the State. >>>>>> >>>>>> Thanks, >>>>>> M.D. >>>>>> >>>>>> On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: >>>>>> >>>>>>> All, >>>>>>> >>>>>>> This email starts discussion of whether ETSI auditors should be >>>>>>> required to be members of the Accredited Conformity Assessment >>>>>>> Bodies' Council (“ACAB’c” - https://www.acab-c.com/). >>>>>>> >>>>>>> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> >>>>>>> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published >>>>>>> in >>>>>>> 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) >>>>>>> >>>>>>> Mozilla continually seeks to improve the quality of CA audits. >>>>>>> Therefore, we are considering a requirement that ETSI auditors be >>>>>>> members >>>>>>> of the ACAB’c, for which there is no cost to join. The ACAB’c has >>>>>>> improved the consistency in how audit reports are provided to Mozilla, >>>>>>> including how auditor qualifications are verified. (ACAB’c seeks >>>>>>> “to harmonise the application of the conformity assessment requirements >>>>>>> … >>>>>>> with regard to the broader conformity assessment community and in >>>>>>> partnership with the main stakeholders of the area, such as [the] >>>>>>> CA/Browser Forum ….” Members of the ACAB’c further undertake to >>>>>>> meet “the minimum report content for … Browsers Manufacturers”. >>>>>>> (Code of Conduct, found at >>>>>>> https://www.acab-c.com/terms-conditions-and-policies/.) Not only >>>>>>> has ACAB’c maintained a Mozilla-compliant audit attestation letter >>>>>>> template, but it has also provided guidance about what auditors are >>>>>>> supposed to check, and it has taken other steps to keep audits current >>>>>>> with >>>>>>> Mozilla and CA/Browser Forum requirements. >>>>>>> >>>>>>> >>>>>>> From an audit quality standpoint, membership in the ACAB'c is >>>>>>> necessary for any auditor using ETSI criteria to review CAs that issue >>>>>>> publicly trusted server certificates, and therefore, ACAB'c membership >>>>>>> should be a requirement stated in the MRSP. >>>>>>> >>>>>>> >>>>>>> Please provide your responses and comments in this thread. Thanks. >>>>>>> >>>>>>> >>>>>>> Sincerely, >>>>>>> >>>>>>> >>>>>>> Ben Wilson >>>>>>> >>>>>>> Mozilla Root Store Program >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "[email protected]" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >>>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZrNrJrvouCJb05mNP5nWPo4uLk59c-P3%2BNbnwYZUrQLg%40mail.gmail.com.
