Regarding "Relying on a non-official source for accreditation information has its own risks that should be taken seriously." - That isn't how it works - in the third column over on https://www.acab-c.com/members/, the link is to the official source, which is what we review.
On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: > > > On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <[email protected]> > wrote: > >> Ben, >> >> >> >> The policy requirements should be structured to match the policy goals. >> You have mentioned two important ones, which I agree with. The first can >> be solved by requiring the use of ACAB’c templates. The second points to a >> legitimate issue that the NABs/CABs need to solve. Relying on a >> non-official source for accreditation information has its own risks that >> should be taken seriously. >> > > Tim, > > I don't want to belabor this point, but you haven't highlighted if, how, > or why you believe WebTrust is different. WebTrust is organizationally and > functionally the same as ACAB'c in this regard, as far as professional > association goes. Do you believe WebTrust is only valid if the US or > Canadian governments recognize it - knowing full well they reject such > audits as being insufficient? > > This reply seems to demonstrate a fundamental misunderstanding about the > role of CABs/NABs, or that there is some value that is not yet articulated. > The burden of proof rests on you to demonstrate what this value is - and > what these risks are, that you believe should be taken seriously. You have > not yet done that. > > >> There’s also no guarantee that ACAB’C membership will be free in the >> future. Organizations change. ACAB’c could also adopt membership rules >> which some organizations are unable to comply with. >> > > Again, how is this functionally different from WebTrust, which charges a > licensing fee and which has restrictions on who can join? This is a point > that goes back 20 years, in particular, during the discussion of Scott > Perry as an auditor who was *not* WebTrust licensed at the time and not a > CPA. I mention Scott as an example, because Scott S. Perry is who DigiCert > has used as their auditor (and which was recently acquired by Shellman). > > The argument here does not establish why Mozilla should be concerned about > free or not. Similarly, the point that ACAB'c "could" do something is > nothing more that unsubstantiated FUD, because it ignores the fact that if > there was a negative development, Mozilla - or anyone else - could respond > if necessary. > > As was pointed out internally, ACAB’C is a very small association of >> mostly French and German auditors, with very few members. As much as I >> appreciate their work on templates and other issues, I don’t think forcing >> people to join another organization is a good thing for organizations to >> do, no matter how well-intended it is. It takes away their agency, which >> will certainly put a damper on their desire to participate. >> > > This is the closest we've got to actually establishing the substance of > your objection, but it is entirely unclear what bearing it should have on > this discussion. By this logic, requiring WebTrust licensed auditors is an > equally unacceptable imposition - do you agree or not? > > Is there some point you believe is being overlooked? This message is full > of conclusions, but lacks the logical footing necessary to reach those > conclusions. If you think it's being misunderstood, please articulate. > > The fact that NABs/CABs have not solved this issue, that there has been > years of discussion with ETSI, and that fundamentally the organizational > goals of NABs/CABs is specifically to support that of Supervisory Bodies, > and is not aligned with browser needs, appears to be entirely discarded > here. There's zero reason to believe that continuing on the present course > is somehow going to lead somewhere differently, other than in the abstract > ideal state. > > I don't disagree that there are arguments being made here, but their > arguments that are easily refuted, or which don't logically hold. I hope > I'm overlooking something. > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com.
