Please see language proposed to address Issue #219 here: https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048 .
On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson <[email protected]> wrote: > Adriano, > > Right now, we're considering the following language: > > "ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter > template on the [ACAB'c website](https://www.acab-c.com/downloads), and > ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website]( > https://www.acab-c.com/members/). WebTrust audit statements > MUST follow the practitioner guidance, principles, and illustrative > assurance reports on the [CPA Canada website]( > https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), > and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA > Canada website]( > https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." > > > Thanks, > > Ben > > On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via > [email protected] <[email protected]> wrote: > >> It is not clear to me whether a decision has been made on this matter. >> Would Mozilla please clarify? If this new requirement were introduced in >> the MRSP with immediate effect, it would cause non trivial organizational >> problems for the CAs that are nearing their next audit cycle. >> >> Adriano >> >> ACTALIS S.p.A. >> >> >> Il 03/02/2022 23:31, Ben Wilson ha scritto: >> >> Regarding "Relying on a non-official source for accreditation >> information has its own risks that should be taken seriously." - That >> isn't how it works - in the third column over on >> https://www.acab-c.com/members/, the link is to the official source, >> which is what we review. >> >> On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: >> >>> >>> >>> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek <[email protected]> >>> wrote: >>> >>>> Ben, >>>> >>>> >>>> >>>> The policy requirements should be structured to match the policy >>>> goals. You have mentioned two important ones, which I agree with. The >>>> first can be solved by requiring the use of ACAB’c templates. The second >>>> points to a legitimate issue that the NABs/CABs need to solve. Relying on >>>> a non-official source for accreditation information has its own risks that >>>> should be taken seriously. >>>> >>> >>> Tim, >>> >>> I don't want to belabor this point, but you haven't highlighted if, how, >>> or why you believe WebTrust is different. WebTrust is organizationally and >>> functionally the same as ACAB'c in this regard, as far as professional >>> association goes. Do you believe WebTrust is only valid if the US or >>> Canadian governments recognize it - knowing full well they reject such >>> audits as being insufficient? >>> >>> This reply seems to demonstrate a fundamental misunderstanding about the >>> role of CABs/NABs, or that there is some value that is not yet articulated. >>> The burden of proof rests on you to demonstrate what this value is - and >>> what these risks are, that you believe should be taken seriously. You have >>> not yet done that. >>> >>> >>>> There’s also no guarantee that ACAB’C membership will be free in the >>>> future. Organizations change. ACAB’c could also adopt membership rules >>>> which some organizations are unable to comply with. >>>> >>> >>> Again, how is this functionally different from WebTrust, which charges a >>> licensing fee and which has restrictions on who can join? This is a point >>> that goes back 20 years, in particular, during the discussion of Scott >>> Perry as an auditor who was *not* WebTrust licensed at the time and not >>> a CPA. I mention Scott as an example, because Scott S. Perry is who >>> DigiCert has used as their auditor (and which was recently acquired by >>> Shellman). >>> >>> The argument here does not establish why Mozilla should be concerned >>> about free or not. Similarly, the point that ACAB'c "could" do something is >>> nothing more that unsubstantiated FUD, because it ignores the fact that if >>> there was a negative development, Mozilla - or anyone else - could respond >>> if necessary. >>> >>> As was pointed out internally, ACAB’C is a very small association of >>>> mostly French and German auditors, with very few members. As much as I >>>> appreciate their work on templates and other issues, I don’t think forcing >>>> people to join another organization is a good thing for organizations to >>>> do, no matter how well-intended it is. It takes away their agency, which >>>> will certainly put a damper on their desire to participate. >>>> >>> >>> This is the closest we've got to actually establishing the substance of >>> your objection, but it is entirely unclear what bearing it should have on >>> this discussion. By this logic, requiring WebTrust licensed auditors is an >>> equally unacceptable imposition - do you agree or not? >>> >>> Is there some point you believe is being overlooked? This message is >>> full of conclusions, but lacks the logical footing necessary to reach those >>> conclusions. If you think it's being misunderstood, please articulate. >>> >>> The fact that NABs/CABs have not solved this issue, that there has been >>> years of discussion with ETSI, and that fundamentally the organizational >>> goals of NABs/CABs is specifically to support that of Supervisory Bodies, >>> and is not aligned with browser needs, appears to be entirely discarded >>> here. There's zero reason to believe that continuing on the present course >>> is somehow going to lead somewhere differently, other than in the abstract >>> ideal state. >>> >>> I don't disagree that there are arguments being made here, but their >>> arguments that are easily refuted, or which don't logically hold. I hope >>> I'm overlooking something. >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" <[email protected]> >> group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com.
