On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <[email protected]> wrote:
> Ben, > > > > The policy requirements should be structured to match the policy goals. > You have mentioned two important ones, which I agree with. The first can > be solved by requiring the use of ACAB’c templates. The second points to a > legitimate issue that the NABs/CABs need to solve. Relying on a > non-official source for accreditation information has its own risks that > should be taken seriously. > Tim, I don't want to belabor this point, but you haven't highlighted if, how, or why you believe WebTrust is different. WebTrust is organizationally and functionally the same as ACAB'c in this regard, as far as professional association goes. Do you believe WebTrust is only valid if the US or Canadian governments recognize it - knowing full well they reject such audits as being insufficient? This reply seems to demonstrate a fundamental misunderstanding about the role of CABs/NABs, or that there is some value that is not yet articulated. The burden of proof rests on you to demonstrate what this value is - and what these risks are, that you believe should be taken seriously. You have not yet done that. > There’s also no guarantee that ACAB’C membership will be free in the > future. Organizations change. ACAB’c could also adopt membership rules > which some organizations are unable to comply with. > Again, how is this functionally different from WebTrust, which charges a licensing fee and which has restrictions on who can join? This is a point that goes back 20 years, in particular, during the discussion of Scott Perry as an auditor who was *not* WebTrust licensed at the time and not a CPA. I mention Scott as an example, because Scott S. Perry is who DigiCert has used as their auditor (and which was recently acquired by Shellman). The argument here does not establish why Mozilla should be concerned about free or not. Similarly, the point that ACAB'c "could" do something is nothing more that unsubstantiated FUD, because it ignores the fact that if there was a negative development, Mozilla - or anyone else - could respond if necessary. As was pointed out internally, ACAB’C is a very small association of mostly > French and German auditors, with very few members. As much as I appreciate > their work on templates and other issues, I don’t think forcing people to > join another organization is a good thing for organizations to do, no > matter how well-intended it is. It takes away their agency, which will > certainly put a damper on their desire to participate. > This is the closest we've got to actually establishing the substance of your objection, but it is entirely unclear what bearing it should have on this discussion. By this logic, requiring WebTrust licensed auditors is an equally unacceptable imposition - do you agree or not? Is there some point you believe is being overlooked? This message is full of conclusions, but lacks the logical footing necessary to reach those conclusions. If you think it's being misunderstood, please articulate. The fact that NABs/CABs have not solved this issue, that there has been years of discussion with ETSI, and that fundamentally the organizational goals of NABs/CABs is specifically to support that of Supervisory Bodies, and is not aligned with browser needs, appears to be entirely discarded here. There's zero reason to believe that continuing on the present course is somehow going to lead somewhere differently, other than in the abstract ideal state. I don't disagree that there are arguments being made here, but their arguments that are easily refuted, or which don't logically hold. I hope I'm overlooking something. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHGHPJCGA8Vrh0uOmh9U%2Btg2JoAK6OQ1t_dWrEqJnN3m_g%40mail.gmail.com.
