Ben: As a whole, this change seems a significant step backwards, in that it removes the requirement for both WebTrust licensee and ACAB'c membership. There doesn't seem to be any explanation for this change, and your reply on Feb 3 seemed to support.
In short, it's unclear how this addresses https://github.com/mozilla/pkipolicy/issues/219 - it seems to do quite the opposite. Maybe if we take a step back from your precise wording changes: What's the end state you'd like to accomplish? It seems this does the opposite of what's on the bug, and if that's intended, it might be useful to have some rationale and discussion on that. On Mon, Apr 4, 2022 at 11:59 AM Ben Wilson <[email protected]> wrote: > Please see language proposed to address Issue #219 here: > https://github.com/BenWilson-Mozilla/pkipolicy/commit/907b54de5b811bbd1def8208e2f72b43f1e21048 > . > > On Tue, Mar 29, 2022 at 9:35 AM Ben Wilson <[email protected]> wrote: > >> Adriano, >> >> Right now, we're considering the following language: >> >> "ETSI Audit Attestation Letters MUST follow the Audit Attestation Letter >> template on the [ACAB'c website](https://www.acab-c.com/downloads), and >> ETSI auditors SHOULD be listed as [CAB-members on the ACAB'c website]( >> https://www.acab-c.com/members/). WebTrust audit statements >> MUST follow the practitioner guidance, principles, and illustrative >> assurance reports on the [CPA Canada website]( >> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/principles-and-criteria), >> and SHOULD be listed as an enrolled WebTrust practitioner on the [CPA >> Canada website]( >> https://www.cpacanada.ca/en/business-and-accounting-resources/audit-and-assurance/overview-of-webtrust-services/licensed-webtrust-practitioners-international)." >> >> >> Thanks, >> >> Ben >> >> On Tue, Mar 29, 2022 at 9:03 AM 'Adriano Santoni' via >> [email protected] <[email protected]> wrote: >> >>> It is not clear to me whether a decision has been made on this matter. >>> Would Mozilla please clarify? If this new requirement were introduced >>> in the MRSP with immediate effect, it would cause non trivial >>> organizational problems for the CAs that are nearing their next audit cycle. >>> >>> Adriano >>> >>> ACTALIS S.p.A. >>> >>> >>> Il 03/02/2022 23:31, Ben Wilson ha scritto: >>> >>> Regarding "Relying on a non-official source for accreditation >>> information has its own risks that should be taken seriously." - That >>> isn't how it works - in the third column over on >>> https://www.acab-c.com/members/, the link is to the official source, >>> which is what we review. >>> >>> On Thu, Feb 3, 2022 at 3:16 PM Ryan Sleevi <[email protected]> wrote: >>> >>>> >>>> >>>> On Thu, Feb 3, 2022 at 4:03 PM Tim Hollebeek < >>>> [email protected]> wrote: >>>> >>>>> Ben, >>>>> >>>>> >>>>> >>>>> The policy requirements should be structured to match the policy >>>>> goals. You have mentioned two important ones, which I agree with. The >>>>> first can be solved by requiring the use of ACAB’c templates. The second >>>>> points to a legitimate issue that the NABs/CABs need to solve. Relying on >>>>> a non-official source for accreditation information has its own risks that >>>>> should be taken seriously. >>>>> >>>> >>>> Tim, >>>> >>>> I don't want to belabor this point, but you haven't highlighted if, >>>> how, or why you believe WebTrust is different. WebTrust is organizationally >>>> and functionally the same as ACAB'c in this regard, as far as professional >>>> association goes. Do you believe WebTrust is only valid if the US or >>>> Canadian governments recognize it - knowing full well they reject such >>>> audits as being insufficient? >>>> >>>> This reply seems to demonstrate a fundamental misunderstanding about >>>> the role of CABs/NABs, or that there is some value that is not yet >>>> articulated. The burden of proof rests on you to demonstrate what this >>>> value is - and what these risks are, that you believe should be taken >>>> seriously. You have not yet done that. >>>> >>>> >>>>> There’s also no guarantee that ACAB’C membership will be free in the >>>>> future. Organizations change. ACAB’c could also adopt membership rules >>>>> which some organizations are unable to comply with. >>>>> >>>> >>>> Again, how is this functionally different from WebTrust, which charges >>>> a licensing fee and which has restrictions on who can join? This is a point >>>> that goes back 20 years, in particular, during the discussion of Scott >>>> Perry as an auditor who was *not* WebTrust licensed at the time and >>>> not a CPA. I mention Scott as an example, because Scott S. Perry is who >>>> DigiCert has used as their auditor (and which was recently acquired by >>>> Shellman). >>>> >>>> The argument here does not establish why Mozilla should be concerned >>>> about free or not. Similarly, the point that ACAB'c "could" do something is >>>> nothing more that unsubstantiated FUD, because it ignores the fact that if >>>> there was a negative development, Mozilla - or anyone else - could respond >>>> if necessary. >>>> >>>> As was pointed out internally, ACAB’C is a very small association of >>>>> mostly French and German auditors, with very few members. As much as I >>>>> appreciate their work on templates and other issues, I don’t think forcing >>>>> people to join another organization is a good thing for organizations to >>>>> do, no matter how well-intended it is. It takes away their agency, which >>>>> will certainly put a damper on their desire to participate. >>>>> >>>> >>>> This is the closest we've got to actually establishing the substance of >>>> your objection, but it is entirely unclear what bearing it should have on >>>> this discussion. By this logic, requiring WebTrust licensed auditors is an >>>> equally unacceptable imposition - do you agree or not? >>>> >>>> Is there some point you believe is being overlooked? This message is >>>> full of conclusions, but lacks the logical footing necessary to reach those >>>> conclusions. If you think it's being misunderstood, please articulate. >>>> >>>> The fact that NABs/CABs have not solved this issue, that there has been >>>> years of discussion with ETSI, and that fundamentally the organizational >>>> goals of NABs/CABs is specifically to support that of Supervisory Bodies, >>>> and is not aligned with browser needs, appears to be entirely discarded >>>> here. There's zero reason to believe that continuing on the present course >>>> is somehow going to lead somewhere differently, other than in the abstract >>>> ideal state. >>>> >>>> I don't disagree that there are arguments being made here, but their >>>> arguments that are easily refuted, or which don't logically hold. I hope >>>> I'm overlooking something. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" >>> <[email protected]> group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabTpQxDkCexfdYtU0UNs0L0X2EhKxApZF_kOBc9xwaNEA%40mail.gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/00702dfd-ce0a-b204-29f8-395d834a913e%40staff.aruba.it?utm_medium=email&utm_source=footer> >>> . >>> >> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtabXvMWdzJOj5hsKb09VVf1%3Dk2jRu%3DCujMSUBL%2Ba_FFY1Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAErg%3DHFWbTK%2BCM5ri3--VOgNzu_M3SHJPs6-AkmNRhR5OouQhA%40mail.gmail.com.
