This would effectively force a number of existing auditors with a long history of providing ETSI audits for Mozilla into joining ACAB-C. It is not clear that simply being a member provides any benefits. If there are clear problems to be solved here, it would be better to write explicit requirements about what is expected of auditors, instead of requiring their membership in an arbitrary organization.
As far as I’m aware, ACAB-C is a voluntary coordination body, and not in any way recognized as part of the European regulatory structure. -Tim From: [email protected] <[email protected]> On Behalf Of Ben Wilson Sent: Wednesday, January 26, 2022 1:37 PM To: Ryan Sleevi <[email protected]> Cc: [email protected] <[email protected]> Subject: Re: Policy 2.8: MRSP Issue #219: Require ETSI auditors to be ACAB-c members I agree that a "MUST" is better. Does anyone have a stronger case for making it a "SHOULD"? On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]<mailto:[email protected]>> wrote: It would seem better for Mozilla users if it was a MUST. A SHOULD is an interesting starting point, but I’m not sure it does anything to help members of the community here, and there don’t seem to be clear arguments against it. The benefit, of course, is attempting to ensure better consistency and aligning with the needs of Mozilla, which accredited CABs alone are not necessarily qualified nor incentivized to do, but at least ACAB-c has been willing to try. On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]<mailto:[email protected]>> wrote: I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be members of ACAB'c. See draft language here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 "ETSI auditors SHOULD be members of the [Accredited Conformity Assessment Bodies' Council][ACAB'c link]. WebTrust auditors MUST be [enrolled in the WebTrust program][WebTrust link]." On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov <[email protected]<mailto:[email protected]>> wrote: With all due respect to ACAB-c, currently the term CAB means a proffesional accredited by NAB. I'd suggest to consult with the legal department if the proposed requirement comply with Article 11 ( Freedom of assembly and association) of European Convention on Human Rights: 1. Everyone has the right to freedom of peaceful assembly and to freedom of association with others, including the right to form and to join trade unions for the protection of his interests. 2. No restrictions shall be placed on the exercise of these rights other than such as are prescribed by law and are necessary in a democratic society in the interests of national security or public safety, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others. This Article shall not prevent the imposition of lawful restrictions on the exercise of these rights by members of the armed forces, of the police or of the administration of the State. Thanks, M.D. On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]<mailto:[email protected]>> wrote: All, This email starts discussion of whether ETSI auditors should be required to be members of the Accredited Conformity Assessment Bodies' Council (“ACAB’c” - https://www.acab-c.com/). This is Issue #219<https://github.com/mozilla/pkipolicy/issues/219> for the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. (See https://github.com/mozilla/pkipolicy/labels/2.8) Mozilla continually seeks to improve the quality of CA audits. Therefore, we are considering a requirement that ETSI auditors be members of the ACAB’c, for which there is no cost to join. The ACAB’c has improved the consistency in how audit reports are provided to Mozilla, including how auditor qualifications are verified. (ACAB’c seeks “to harmonise the application of the conformity assessment requirements … with regard to the broader conformity assessment community and in partnership with the main stakeholders of the area, such as [the] CA/Browser Forum ….” Members of the ACAB’c further undertake to meet “the minimum report content for … Browsers Manufacturers”. (Code of Conduct, found at https://www.acab-c.com/terms-conditions-and-policies/.) Not only has ACAB’c maintained a Mozilla-compliant audit attestation letter template, but it has also provided guidance about what auditors are supposed to check, and it has taken other steps to keep audits current with Mozilla and CA/Browser Forum requirements. >From an audit quality standpoint, membership in the ACAB'c is necessary for >any auditor using ETSI criteria to review CAs that issue publicly trusted >server certificates, and therefore, ACAB'c membership should be a requirement >stated in the MRSP. Please provide your responses and comments in this thread. Thanks. Sincerely, Ben Wilson Mozilla Root Store Program -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]<mailto:[email protected]>" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/DM8PR14MB5237CF0B5354EC9E805D8FC283289%40DM8PR14MB5237.namprd14.prod.outlook.com.
