I think the ACAB'c provides benefits that bring ETSI audits closer to what we see from WebTrust and Webtrust audits, even though the two organizations aren't similar in all respects. Both are needed or are "Must" haves for Mozilla. ACAB'c doesn't cost anything to join, it provides good templates that are responsive to Mozilla's needs, and it also makes it easier to determine if the CAB is accredited or not, among other benefits it provides.
On Thu, Feb 3, 2022, 1:06 PM Ryan Sleevi <[email protected]> wrote: > Tim, > > As much as I disdain the tone policing here, it's certainly notmy intent > to put words in your mouth. I had hoped it was clear in my previous message > that I was responding to how your message was received, and clarifying it > as such, in the hopes of ensuring you could clarify if it was not what you > intended. You call that a strawman or putting words in your mouth, but I do > struggle to think how we can better communicate, if we cannot articulate > "When you say X, I hear this, is that what you mean?" > > I think you can agree that when arguments are unclear, or unsubstantiated, > it is difficult, if not impossible, to productively engage. I do hope we > can find a better way of working together, and in particular, ensure > concerns are well articulated in a way that reduces the likelihood of > misinterpretation. However, I'm not sure it's fair, or reasonable, to > suggest that it's somehow a violation of policy to highlight when your > arguments are unclear, how they were interpreted, and what the problems may > be with that interpretation. If you did not intend for it as such, it's a > welcome opportunity for you to both clarify your arguments, and to better > understand my own concerns. That's not strawmanning - that's trying to > reach a shared understanding, and I hope you can agree, that's very > valuable. > > To that point, I think you may misunderstand what WebTrust is. It is not, > as you suggest, an accreditation program, but a licensing program, in which > a brand is licensed based on an expectation of meeting some quality control > objectives. I'm hoping that if you believe ACAB-c is functionally > different, you might be able to further articulate where that difference > is, as it would appear to be functionally identical. > > Your response to suggest that the goal is "simply to check a box on > Mozilla's compliance list" seems to do the same disservice to the argument > I presented you, as you accuse me of doing. I hope you can see how I > articulated that the purpose is not merely checking a box, and how the > affiliation has value. Perhaps this misunderstanding of my previous e-mail, > and the misunderstanding of what WebTrust is, has compounded the > miscommunications here? > > On Thu, Feb 3, 2022 at 2:44 PM Tim Hollebeek <[email protected]> > wrote: > >> It is disrespectful to imply that my remarks mean anything beyond what I >> actually said. This has been a pattern for a long time, where you reply >> quickly to my feedback, replace it with a strawman, and then argue against >> the strawman. In particular, the WebTrust analogy is not very apt. >> WebTrust is a compliance program that Mozilla relies upon, so it makes a >> lot of sense for auditors to have to be accredited under it and in good >> standing. As far as I’m aware, ACAB-C is not an accreditation body for >> ETSI audits in anyway. >> >> >> >> I have asked you, repeatedly and publicly, and on many occasions, to not >> put words in my mouth when you reply. Yet you persist. This sort of >> behavior is why I rarely participate in this forum any more. Particularly >> relevant to this forum, it’s also a violation of Mozilla Policy. >> >> >> >> Clearly, it would be better, for example, if Mozilla desires that >> auditors use the ACAB-C reporting format, then they should require that. >> Forcing every auditor, including those who are government regulators and >> for whom this relationship might be awkward, into joining an organization >> simply to check a box on Mozilla’s compliance list, will not improve >> anything. People will join for the checkbox, and then ignore the >> organization and not participate. >> >> >> >> -Tim >> >> >> >> *From:* Ryan Sleevi <[email protected]> >> *Sent:* Thursday, February 3, 2022 2:11 PM >> *To:* Tim Hollebeek <[email protected]> >> *Cc:* Ben Wilson <[email protected]>; Ryan Sleevi <[email protected]>; >> [email protected] <[email protected]> >> *Subject:* Re: Policy 2.8: MRSP Issue #219: Require ETSI auditors to be >> ACAB-c members >> >> >> >> Tim: >> >> >> >> Why is recognizing as part of the European regulatory structure >> necessary, or even desirable? It has different goals for different users, >> which is fine. Similary, WebTrust is not recognized by any regulatory >> structure, and that doesn’t cause issues. >> >> >> >> You state “it would be better”, but provide no justification or evidence >> to support that claim. It’s already been addressed why there are benefits. >> >> >> >> It sounds as if you’re objecting on the basis of “this changes things”, >> and that’s not a substantive concern. Nor have you demonstrated why >> Mozilla, or anyone, must bear the burden of proof for convincing you of the >> benefit. >> >> >> >> The recognition by European regulatory structure provides zero technical >> or policy benefit to browser root programs. In particular, there is no >> functioning accountability for any misrepresentation to browsers that is >> not also made to regulatory authorities. The work product of CABs provides >> to SBs is already different than that provided to browsers, so it’s >> somewhat questionable to assert any bearing at all. >> >> >> >> Compared to ACAB-c, which has offered to self-regulate with respect to >> browser needs, and has actively worked to try and engage on providing some >> degree of inter-member understanding and consistency with respect to >> reporting. >> >> >> >> It is not clear that your objection has any merit. If there are clear >> problems with joining ACAB-c, it would be better to write explicit >> requirements about why that is, instead of merely objecting. >> >> >> >> On Thu, Feb 3, 2022 at 1:02 PM Tim Hollebeek <[email protected]> >> wrote: >> >> This would effectively force a number of existing auditors with a long >> history of providing ETSI audits for Mozilla into joining ACAB-C. It is >> not clear that simply being a member provides any benefits. If there are >> clear problems to be solved here, it would be better to write explicit >> requirements about what is expected of auditors, instead of requiring their >> membership in an arbitrary organization. >> >> >> >> As far as I’m aware, ACAB-C is a voluntary coordination body, and not in >> any way recognized as part of the European regulatory structure. >> >> >> >> -Tim >> >> >> >> *From:* [email protected] <[email protected]> >> *On Behalf Of *Ben Wilson >> *Sent:* Wednesday, January 26, 2022 1:37 PM >> *To:* Ryan Sleevi <[email protected]> >> *Cc:* [email protected] <[email protected]> >> *Subject:* Re: Policy 2.8: MRSP Issue #219: Require ETSI auditors to be >> ACAB-c members >> >> >> >> I agree that a "MUST" is better. Does anyone have a stronger case for >> making it a "SHOULD"? >> >> >> >> On Tue, Jan 25, 2022 at 11:00 PM Ryan Sleevi <[email protected]> wrote: >> >> It would seem better for Mozilla users if it was a MUST. A SHOULD is an >> interesting starting point, but I’m not sure it does anything to help >> members of the community here, and there don’t seem to be clear arguments >> against it. >> >> >> >> The benefit, of course, is attempting to ensure better consistency and >> aligning with the needs of Mozilla, which accredited CABs alone are not >> necessarily qualified nor incentivized to do, but at least ACAB-c has been >> willing to try. >> >> >> >> On Tue, Jan 25, 2022 at 10:53 PM Ben Wilson <[email protected]> wrote: >> >> I am proposing that we make this a "SHOULD". ETSI auditors SHOULD be >> members of ACAB'c. >> >> >> >> See draft language here: >> >> >> https://github.com/BenWilson-Mozilla/pkipolicy/commit/01f15d4bc2cebfedd140dcb3285f50f6216984b8 >> >> >> >> "ETSI auditors SHOULD be members of the [Accredited Conformity Assessment >> Bodies' Council][ACAB'c link]. WebTrust auditors MUST be [enrolled in the >> WebTrust program][WebTrust link]." >> >> >> >> On Tue, Dec 14, 2021 at 5:06 PM Moudrick Dadashov <[email protected]> >> wrote: >> >> With all due respect to ACAB-c, currently the term CAB means a >> proffesional accredited by NAB. >> >> >> >> I'd suggest to consult with the legal department if the proposed >> requirement comply with Article 11 ( Freedom of assembly and association) >> of European Convention on Human Rights: >> >> >> >> 1. Everyone has the right to freedom of peaceful assembly and >> to freedom of association with others, including the right to form and to >> join trade unions for the protection of his interests. >> >> >> >> 2. No restrictions shall be placed on the exercise of these rights >> other than such as are prescribed by law and are necessary in a democratic >> society in the interests of national security or public safety, for the >> prevention of disorder or crime, for the protection of health or morals or >> for the protection of the rights and freedoms of others. This Article shall >> not prevent the imposition of lawful restrictions on the exercise of these >> rights by members of the armed forces, of the police or of the >> administration of the State. >> >> >> >> Thanks, >> >> M.D. >> >> >> >> On Wed, Dec 15, 2021, 00:37 Ben Wilson <[email protected]> wrote: >> >> All, >> >> This email starts discussion of whether ETSI auditors should be required >> to be members of the Accredited Conformity Assessment Bodies' Council >> (“ACAB’c” - https://www.acab-c.com/). >> >> This is Issue #219 <https://github.com/mozilla/pkipolicy/issues/219> for >> the Mozilla Root Store Policy (MSRP), version 2.8, to be published in 2022. >> (See https://github.com/mozilla/pkipolicy/labels/2.8) >> >> Mozilla continually seeks to improve the quality of CA audits. Therefore, >> we are considering a requirement that ETSI auditors be members of the >> ACAB’c, for which there is no cost to join. The ACAB’c has improved the >> consistency in how audit reports are provided to Mozilla, including how >> auditor qualifications are verified. (ACAB’c seeks “to harmonise the >> application of the conformity assessment requirements … with regard to the >> broader conformity assessment community and in partnership with the main >> stakeholders of the area, such as [the] CA/Browser Forum ….” Members of >> the ACAB’c further undertake to meet “the minimum report content for … >> Browsers Manufacturers”. (Code of Conduct, found at >> https://www.acab-c.com/terms-conditions-and-policies/.) Not only has >> ACAB’c maintained a Mozilla-compliant audit attestation letter template, >> but it has also provided guidance about what auditors are supposed to >> check, and it has taken other steps to keep audits current with Mozilla and >> CA/Browser Forum requirements. >> >> >> >> From an audit quality standpoint, membership in the ACAB'c is necessary >> for any auditor using ETSI criteria to review CAs that issue publicly >> trusted server certificates, and therefore, ACAB'c membership should be a >> requirement stated in the MRSP. >> >> >> >> Please provide your responses and comments in this thread. Thanks. >> >> >> >> Sincerely, >> >> >> >> Ben Wilson >> >> Mozilla Root Store Program >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYuv_0Zy4LZnxPkmbg9EGft6AtT3AXSSUM2Es7VWuUPgw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaatREgzCtG2AMzhs_ObG-P3YSi9mDSSfFJOA7sOWMdgDA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa8Fj84gFsYmp6_DVGDXWiZiHg89y1N%2BhWd2snoY2YcvQ%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYmQeVSjcwW8sPQNmUY_nOvoz9vEua-qd_DW5Lz2k0aZg%40mail.gmail.com.
