Adriano, Right now, we're considering the following language:
"ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter template on the [ACAB'c website](https://www.acab-c.com/downloads), and ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website]( https://www.acab-c.com/members/). WebTrust audit statements MUST follow the practitioner guidance, principles, and illustrative assurance reports on the [CPA Canada website]( https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA Canada website]( https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." Thanks, Ben On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via [email protected] <[email protected]> wrote: > It is not clear to me whether a decision has been made on this matter. > Would Mozilla please clarify? If this new requirement were introduced in > the MRSP with immediate effect, it would cause non trivial organizational > problems for the CAs that are nearing their next audit cycle. > > Adriano > > ACTALIS S.p.A. > > > Il 03/02/2022 23:31, Ben Wilson ha scritto: > > Regarding "Relying on a non-official source for accreditation information > has its own risks that should be taken seriously." - That isn't how it > works - in the third column over on https://www.acab-c.com/members/, the > link is to the official source, which is what we review. > > On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: > >> >> >> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <[email protected]> >> wrote: >> >>> Ben, >>> >>> >>> >>> The policy requirements should be structured to match the policy goals. >>> You have mentioned two important ones, which I agree with. The first can >>> be solved by requiring the use of ACAB’c templates. The second points to a >>> legitimate issue that the NABs/CABs need to solve. Relying on a >>> non-official source for accreditation information has its own risks that >>> should be taken seriously. >>> >> >> Tim, >> >> I don't want to belabor this point, but you haven't highlighted if, how, >> or why you believe WebTrust is different. WebTrust is organizationally and >> functionally the same as ACAB'c in this regard, as far as professional >> association goes. Do you believe WebTrust is only valid if the US or >> Canadian governments recognize it - knowing full well they reject such >> audits as being insufficient? >> >> This reply seems to demonstrate a fundamental misunderstanding about the >> role of CABs/NABs, or that there is some value that is not yet articulated. >> The burden of proof rests on you to demonstrate what this value is - and >> what these risks are, that you believe should be taken seriously. You have >> not yet done that. >> >> >>> There’s also no guarantee that ACAB’C membership will be free in the >>> future. Organizations change. ACAB’c could also adopt membership rules >>> which some organizations are unable to comply with. >>> >> >> Again, how is this functionally different from WebTrust, which charges a >> licensing fee and which has restrictions on who can join? This is a point >> that goes back 20 years, in particular, during the discussion of Scott >> Perry as an auditor who was *not* WebTrust licensed at the time and not >> a CPA. I mention Scott as an example, because Scott S. Perry is who >> DigiCert has used as their auditor (and which was recently acquired by >> Shellman). >> >> The argument here does not establish why Mozilla should be concerned >> about free or not. Similarly, the point that ACAB'c "could" do something is >> nothing more that unsubstantiated FUD, because it ignores the fact that if >> there was a negative development, Mozilla - or anyone else - could respond >> if necessary. >> >> As was pointed out internally, ACAB’C is a very small association of >>> mostly French and German auditors, with very few members. As much as I >>> appreciate their work on templates and other issues, I don’t think forcing >>> people to join another organization is a good thing for organizations to >>> do, no matter how well-intended it is. It takes away their agency, which >>> will certainly put a damper on their desire to participate. >>> >> >> This is the closest we've got to actually establishing the substance of >> your objection, but it is entirely unclear what bearing it should have on >> this discussion. By this logic, requiring WebTrust licensed auditors is an >> equally unacceptable imposition - do you agree or not? >> >> Is there some point you believe is being overlooked? This message is full >> of conclusions, but lacks the logical footing necessary to reach those >> conclusions. If you think it's being misunderstood, please articulate. >> >> The fact that NABs/CABs have not solved this issue, that there has been >> years of discussion with ETSI, and that fundamentally the organizational >> goals of NABs/CABs is specifically to support that of Supervisory Bodies, >> and is not aligned with browser needs, appears to be entirely discarded >> here. There's zero reason to believe that continuing on the present course >> is somehow going to lead somewhere differently, other than in the abstract >> ideal state. >> >> I don't disagree that there are arguments being made here, but their >> arguments that are easily refuted, or which don't logically hold. I hope >> I'm overlooking something. >> > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" <[email protected]> group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaa6VRjj2zMCmshFUvfOLH19yqVDRiH1YC2hrnD_H2fyxg%40mail.gmail.com.
